Thursday, 9 November 2023

macOS management with Intune - agent for macOS

Back to main macOS page

The Microsoft Intune management agent enables advanced device management capabilities that aren't supported by the native macOS operating system. It is the equivalent to the Microsoft Intune Management Extension for Windows (codename Sidecar), which adds support for Win32 app and script deployment.

The Intune management agent:

  • is a prerequisites before a macOS DMG app is installed on macOS devices.
  • receives assigned shell scripts and runs the scripts based on the configured schedule

The agent is automatically and silently installed on Intune-managed macOS devices when you assign at least one shell script. The agent checks for new or updated scripts with Intune services usually every 8 hours. This check-in process is independent of the MDM check-in.

I figured that I would deploy a simple shell script to my test device to force the Intune management agent to install in advance of deploying DMG apps. I used something very basic. It doesn't do anything but should install the management agent for me. The important thing is that the shell scripts begin with #! and must be in a valid location such as #!/bin/sh or #!/usr/bin/env zsh

#!/bin/sh

echo "Hello, world!"

I copied this to a text editor and saved the file as HelloWorld.sh. Then it could be used. Navigate to Devices > macOS > Shell scripts.


Click Add to add your script.


Enter a name and click Next.


Browse to the .sh file and you'll see the contents in the wizard. I don't want the script to run as the signed in user. Click Next.


Assign the script to a group. Click Next.


Click Add to upload the script and assign it.


The shell script is ready 😉


Back on the macOS client you can force policy sync by clicking on the three dots in the Company Portal app and selecting Check status


The agent is automatically and silently installed on the device at /Library/Intune/Microsoft Intune Agent.app. It doesn't appear in Finder > Applications on macOS devices, but you can see that it appears as IntuneMdmAgent in Activity Monitor.


Double-click the agent and select the Open Files and Ports tab. You can see the library path where it has been installed.


Launch the Library. This is hidden by default. If you select the alt (or options) key when you click Go, it miraculously appears. It disappears again if you let the key go.


You'll find the IntuneMDMAgent.log file at /Library/Logs/Microsoft/Intune. 


Here you can see the reference to the Sidecar agent, which was the codename for the management agent.

In the Intune portal, you can see that the script has succeeded. The management agent has been installed and I'm ready to deploy a DMG app.

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)