Distribute macOS PKGs via MDM

Last updated April 19, 2019

SimpleMDM supports the distribution and installation of product archive packages to macOS devices. This article discusses the functionality, why it’s important, what’s required, and includes a video walkthrough.

How Packages are Distributed

SimpleMDM distributes packages using native Apple MDM commands, including the “InstallApplication” command. This means that no SimpleMDM-related client binary is needed on the macOS device to assist with the installation process. Once SimpleMDM has provided the installation command to the device, internal macOS processes are used to properly install the package and run any included scripts.

Why MDM Distribution Is Important

Since a SimpleMDM client is not required on the device, a new level of streamlined macOS deployment process is possible. For instance, a popular deployment methodology includes utilizing Apple DEP, SimpleMDM, and third party solutions like Munki, Puppet, or Chef. This tool stack can initialize, configure, and install software to macOS computers automatically when they are initially unboxed or wiped. You can read more about this in our previous post: Munki Deployment Using Apple DEP and MDM

This methodology also insulates your business processes from the upcoming changes to the macOS filesystem. Specifically, the macOS filesystem will switch from HFS+ to APFS. These changes will break some current imaging and deployment solutions in use today, and could come into effect as early as mid to late 2017 with the release of macOS High Sierra.

Package Requirements

Not all macOS packages are alike. It’s worth noting that macOS has specific requirements for the packages it receives from MDM. If these conditions are not met, the package will fail to install.

The two primary requirements are:

1. The package is a product archive. Product archives are typically built using the macOS productbuild command line utility, with a third party package building application, or by the app developer.
2. The package is signed. A package may be signed by the app developer. If not, the package can be signed using the macOS pkgbuild command line utility. Only the product archive needs to be signed. Any contained packages may remain unsigned.

Most problems with binary distributions arise because one of these two requirements are not met.

Video Walkthrough

The video below illustrates the ease of distributing macOS packages with SimpleMDM. In this example, we upload a package file to SimpleMDM and manually push it to our device. In a real world deployment, the package would likely be uploaded ahead of time and the device would receive it automatically during MDM enrollment.

Getting Started

MacOS package management is currently available for all SimpleMDM accounts. If you have any questions during the process, feel free to reach out to our support team.