If you are managing macOS devices with Intune, you probably noticed that there are few limitations in Intune related to applications deployment. This is happening because Intune uses MDM channel to manage macOS devices and only .pkg files is supported, while a lot of apps are using .app or even .dmg files.
But last year Microsoft announced new feature – scripting support for macOS devices through Intune MDM agent.
And because now we have a scripting support, we now can do everything on device. So, as a starting point, I want to have a way to install any applications on macOS devices.
Concept which came out to me is to have app package hosted somewhere and use a script to download and install an app.
Host your app package
To start, we need to have application package. For example, I took Sublime Text from here
In this case package is a disk image with application inside.
For testing purposes, I want to use Azure Blob storage as a hosting for app packages, because it is something I can manage and control.
After we uploaded package to Blob, we need to generate SAS-URL with read only permissions only. This link can be used to download this package to time period we are going to specify.

Building the script
So, once we have our SAS URL we can start building our script. We should have following parts in the script:
- Perform check if application is installed already, because we don’t want script to reinstall the app every re-run (that is something to be specified in Intune).
- Download file and unzip (if required).
- Mount image (because we are using disk image).
- Move application from image to Applications folder.
- Fix permissions
- Delete temporary files
Exact steps might be different and depends on package itself.
Now, we need to create our script.
#!/bin/bash
sas="<Blob SAS URL>"
dmgfile="/tmp/Sublime Text Build 3211.dmg"
appsource="/Volumes/Sublime Text/Sublime Text.app"
# check if Sublime is installed
if [ -e /Applications/Sublime\ Text.app ]
then
echo "Sublime already installed"
exit 0
fi
#Download package
curl -L -f -o "$dmgfile" "$sas"
#Mount image and install the app
sudo hdiutil attach -nobrowse "$dmgfile"
#Copy file to Applications
sudo cp -rf "$appsource" /Applications
#Cleaning Up
sudo hdiutil detach /Volumes/Sublime\ Text/
sudo rm -rf $dmgfile
#Fix up permissions
sudo chown -R root:wheel /Applications/Sublime\ Text.app
exit 0
Deploy script
Once we validated that script is working on your device, we now can deploy it to Intune. For that go to endpoint.microsoft.com > Devices > macOS > Shell Scripts > Add.

Now we need to specify options for our script.

“Run script as signed-in user” – script will run on behalf of signed-in user.
“Hide script notifications on devices” – if not configured, user will notice message in Notification Center.
‘Script frequency” – how often script is going to rerun. That is why important to specify check of installation.
“Max number of times to retry if script fails” – how many times script will retry to run in case of non-zero exit code on run.
Once everything is configured and deployed, Intune is going to install Intune Management agent which is later going to execute your script. Because of that, it might take at least several hours for device to first run your script.
Keep in mind that now you will be depending on Intune agent to checking with Intune for new scripts. It will not be pushed through MDM channel.
Now you can monitor script deployment process in Device Status, where you can see overview for devices. And also, if you click on specific device, you will be able to request log collection from specific device.

Conclusion
Now you know basic concept for how to install any application on your managed macOS devices. That is quite helpful not only to install .app or .dmg apps, but also if you need to run post-install scripts or configure your app during installation.
I can also recommend checking GitHub for examples of scripts. There you can find some ideas for how to do something or maybe someone already resolved your problem. Or you can do contribution.