How to distribute macOS packages via MDM

Headshot of Andrea Pepper, SimpleMDM writer and MacAdmin
Andrea Pepper|February 21, 2024
Stylized product illustration
Stylized product illustration

Got more packages than Amazon on Christmas but wondering how you should deploy them? 📦

SimpleMDM can help with all your macOS .pkg deployments, whether you have dozens, hundreds, or even thousands of Macs.

How packages are distributed

SimpleMDM distributes packages using native Apple MDM commands, including the InstallApplication command. This means no SimpleMDM-related client binary is needed on the macOS device to assist with installation. Once SimpleMDM has provided the installation command to the device, internal macOS processes are used to install the package and run any included scripts properly.

What is the InstallApplication command?

An MDM server issues the InstallApplication command to an Apple device. When the device receives the InstallApplication command, it's instructed to download and install an application (or an update to an existing application). This command is typically packaged in a Property List (.plist) format and encodes several pieces of information, such as:

  • The bundle identifier for the application.

  • The version of the application.

  • The URL from where the .ipa (for iOS devices) or .pkg (for macOS devices) can be downloaded.

Why MDM distribution is important

Since a SimpleMDM client is not required on the device, a new level of streamlined macOS deployment process is possible. For instance, a popular deployment methodology includes utilizing Apple DEP, SimpleMDM, and third-party solutions like Munki, Puppet, or Chef to automatically initialize, configure, and install software on macOS computers.

PDQ ❤️s Munki so much that we integrated Munki into SimpleMDM for simple, secure, and Pretty Damn Quick app installation and management.

(That means we did all the hard work for you!)

Remember: If you are trying to use the Munki Integration and an in-house Munki deployment on the same macOS device, you may end up with a broken or overwritten Munki configuration. This is because the SimpleMDM Munki Integration requires the exact configuration files and binaries as most Munki deployments.

Consider whether you'd like different groups or devices in your fleet to run a SimpleMDM Munki deployment vs. an in-house Munki deployment.

Package requirements

Not all macOS packages are alike. It’s worth noting that macOS has specific requirements for the packages it receives from MDM. If these conditions are not met, the package will fail to install.

The two primary requirements are:

  • The package is a product archive. Product archives are typically built using the macOS productbuild command line utility, with a third-party package building application, or by the app developer.

  • The package is signed. A package may be signed by the app developer, or the package can be signed using the macOS pkgbuild command line utility if not. Only the product archive needs to be signed. Any contained packages may remain unsigned.

Most problems with binary distributions arise because one of these requirements is unmet.

What is the productbuild command?

The productbuild command is a macOS utility that helps you compile and build installation packages. It's used primarily for packaging applications for distribution, often in a professional software development context. You can use productbuild to wrap up an application with all its dependencies and requirements into a single installable .pkg file. This package can then be distributed and installed on other systems, making it easier to manage software distribution, especially in enterprise or large-scale environments. The syntax for the command looks something like this:

bash
productbuild --component /path/to/your.app /Applications/ output_packagename.pkg

This will build an installer package that installs "your.app" into the /Applications/ directory on any machine where it's run. When you use productbuild, you can also include scripts that run before and after the installation, further customizing the installer's actions.

productbuild is part of Apple's command line developer tools, which can be installed free of charge.

Video walkthrough

The video below illustrates the ease of distributing macOS packages with SimpleMDM. In this example, we upload a package file to SimpleMDM and manually push it to our device. In a real-world deployment, the package would likely be uploaded ahead of time, and the device would receive it automatically during MDM enrollment.

FAQ

What is Munki?

Munki is an open-source project that provides macOS administrators with an interface for managing software installation on macOS computers. It automates the installation and removal of software and the management of software updates. The Munki system includes a client that runs on macOS machines and server-side tools that help you manage the software you want to distribute to those clients.

How Munki works

  1. Administrators add software to a Munki server — macOS Installer .pkg or .mpkg files, disk images, .app directories, or scripts.

  2. They define on the server when and where these software packages should be installed.

  3. The client software on each macOS machine periodically communicates with the server, checking for newly available software or updates.

  4. If there is new software or an update, the Munki client automatically downloads and installs it. If the software is no longer required, Munki can remove it.

  5. Munki also supports reporting installation status so admins can monitor the software deployment process.

What is Puppet?

Puppet is an open-source configuration management tool. It's used for managing the configuration of systems, ranging from small numbers of systems to large-scale enterprise environments. Here's how it works: Administrators define the desired state and system configuration in Puppet's declarative language, and then Puppet will ensure that the current state matches the specified desired state. If the current configuration doesn't match the desired state, Puppet will update the system to match it.

Puppet is primarily used for:

  • Installing and managing software packages.

  • Keeping software patched and updated.

  • Managing user access and permissions.

  • Enforcing security policies.

Puppet supports operating systems such as Linux distributions, Windows, and macOS. It's handy in DevOps practices for Infrastructure as Code (IaC) and continuous delivery (CD). Another significant feature of Puppet is that it enables 'idempotency,' meaning you can apply the same configuration multiple times without changing the outcome beyond the first application. This makes managing systems more predictable and stable.

What is Chef?

Chef is an open-source tool used for configuration management. Like Puppet, Chef automates managing and configuring systems in your infrastructure. Chef is based on the Infrastructure as Code principle, where infrastructure configuration is written, tested, and automated as code. This allows developers and system administrators to automate and manage server setup on physical servers, virtual machines, and the cloud.

How Chef works

  • Chef uses recipes to explain how Chef manages server applications and utilities. These recipes are wrapped up into cookbooks, which describe a complete scenario of configuration or policy.

  • The recipes (written in Ruby) are then run on the servers by the Chef client, which pulls down the required configuration from the Chef server.

  • The Chef server acts as a hub for configuration data. The Chef client checks in with the Chef server to get information about the actual node it's running on, the roles it should assume, environments, and details about other systems in your infrastructure.

  • Chef has a robust testing framework, which allows for testing the cookbooks before deployment. Like Puppet, Chef also supports multiple platforms like Linux, Windows, macOS, FreeBSD, Solaris, AIX, and Cisco's IOS.


MacOS package management is currently available for all SimpleMDM accounts. If you still need to get a SimpleMDM account, don't fret! Start your 30-day free trial of SimpleMDM.

Headshot of Andrea Pepper, SimpleMDM writer and MacAdmin
Andrea Pepper

Andrea Pepper is an Apple SME MacAdmin with a problematic lack of impulse control around a software update prompt. When not poking at machines, Pepper enjoys being a silly goose in sunny Colorado with her two gigantic fluffer pups.

Related articles