Explained: InstallEnterpriseApplication MDM Command

Last updated April 19, 2019

MacOS 10.13.6 adds the new MDM verb InstallEnterpriseApplication. What does it do, how does it differ from the preexisting InstallApplication verb, and why does it matter? We explain below.

What’s It Do?

InstallEnterpriseApplication is an Apple MDM command that provides support for installing software packages to macOS computers. More narrowly defined, it allows for the delivery of developer signed distribution-style packages, or PKGs. It is a useful function for admins who wish to deploy software like Munki, NoMAD, Crypt, Chef, Puppet, or similar. More on this is available in our Munki Deployment Using Apple DEP and MDM and Popular Open Source Tools for Mac Admins articles.

InstallEnterpriseApplication is an MDM protocol-level function, so unless you are an MDM developer or working with an open source MDM, you will not work with it directly. It is worth understanding, however, as not all MDM providers implement it. Many MDM providers require that their own software is installed on the macOS endpoint before any other software can be delivered. Their software acts as the delivery mechanism for your own packages. Since InstallEnterpriseApplication allows for package installation on the MDM protocol level, providers that implement it will not require additional client software.

Wait, Isn’t This Just InstallApplication?

InstallEnterpriseApplication is very similar to InstallApplication, which has been in existence for some time. InstallApplication is a much broader command and is used for installing App Store Apps, Enterprise iOS apps, and macOS packages. InstallEnterpriseApplication is intended to replace the macOS package installation functionality of InstallApplication and adds additional security options.

When an installation command is sent to a device, it includes a manifest. The manifest is a document that provides information about the package that is to be installed, such as its name, a download URL, and a checksum that the device can use later to validate the integrity of the downloaded file. The InstallApplication command provides a URL for the device to download the manifest from. InstallEnterpriseApplication adds two options:

  1. Certificate pinning: The MDM command can specify the public key that the web server hosting the manifest must be using.
  2. In-band delivery: The manifest can be specified in the InstallEnterpriseApplication command itself.

Why Does This Matter?

InstallApplication required devices to contact a web server to fetch the manifest file. Since this web server was outside of the MDM communication channel, it required vendor-brewed security measures to limit access to the manifest file. If a manifest URL or URL formatting pattern was discovered and had poor security mechanisms, outside parties could, in theory, review and download the software of an organization.

Additionally, since InstallApplication did not support certificate pinning, devices were more susceptible to a man-in-the-middle attack when fetching the manifest file.

By contrast, InstallEnterpriseApplication’s in-band manifest delivery option is significantly more secure. Only enrolled MDM devices can retrieve the manifest file and the transmission occurs over the already-secured MDM communications channel. If a manifest URL is specified instead, certificate pinning optionally provides a bit more protection.

When Will This Feature Be Available?

SimpleMDM supports InstallEnterpriseApplication today. Any packages delivered to devices running macOS version 10.13.6 and later will receive an InstallEnterpriseApplication MDM command. Earlier versions of macOS will continue to receive the InstallApplication command for backwards compatibility.

Comments (3)

Apple’s MDM spec, as of today, does not include a mechanism for uninstalling macOS software. In fact, there is no concept of managed applications for macOS yet, only iOS.

In response to the link provided, we have seen a slightly different behavior with revoked VPP licenses than the article suggests. When a license is revoked, the app on the device does not uninstall or become unusable immediately, however once the license has been assigned to a new device, the original user receives a pop-up notification and the app is removed and/or does become unusable. This is what we have observed and is subject to change.

Leave a Reply

Your email address will not be published. Required fields are marked *

Start your 30-day free trial of SimpleMDM

Start My Free Trial

Test-Drive SimpleMDM Right Now. No Credit Card Required.

Start My Free Trial