By: Iris Yuning Ye | Product Manager - Microsoft Intune

Pre-install and post-install scripts for macOS PKG apps aims to reduce the overhead and pressure on IT admins that typically comes with repackaging PKGs. It also enables an expanded set of options during app installation. In this blog we’ll explore several scenarios where these scripts are helpful.

This blog is part of a series in better understanding app management for macOS devices, check out Understanding application types in Microsoft Intune for macOS.

Caption: A screenshot of the pre-install and post-install script fields in the Microsoft Intune admin center. (Apps > macOS > Add app macOS app (PKG) > Program).

Pre-install scripts

Intune runs pre-install scripts before the application’s installed but only if the app isn’t detected as already installed. You can use pre-install scripts to validate the endpoint state prior to app installation or prepare the endpoint for the app’s installation. Examples of this include checking for prerequisites, configuring settings needed by the application, or removing conflicting applications. You can see the results of pre-install scripts in the Microsoft Intune admin center under Apps > macOS apps > [select targeted app] > Device install status. If the pre-install script exits with a non-zero code, which indicates a failure, the status details in the admin center will report the following: “The custom pre-install script did not complete successfully. (0X87D3014A)” as shown in the screenshot below.

You can find reference on how to interpret the install status in Add an unmanaged macOS PKG app to Microsoft Intune.

Important: From a support perspective, Microsoft fully supports Intune and its ability to deploy scripts. However, Microsoft does not support the scripts themselves, even if they are on our GitHub repository. They’re provided for example only. You are responsible for anything that they may do within your environment. Always test!

Sample pre-install scripts scenarios

Scenario 1: Pre-requisite configurations before Microsoft Defender for Endpoint  app installation

Ensure that all necessary configurations are completed before installing the Defender for Endpoint app. This includes setting up specific system settings or prerequisites that the Defender for Endpoint app requires to function correctly.

#!/bin/bash

# Example configuration: Set up a specific system setting
echo "Configuring system settings for MDEapp installation..."

# Add your configuration commands here
# For example, enabling a specific security feature
sudo /usr/bin/security_feature --enable

if [ $? -ne 0 ]; then
  echo "Failed to configure system settings. Aborting installation."
  exit 1
fi

echo "System settings configured successfully. Proceeding with Defender for Endpoint app installation."
exit 0

Scenario 2: Ensure that the Cisco AnyConnect client is configured to connect to a specific server by installing the required XML configuration file before the application is installed.

#!/bin/bash

# Example configuration: Install XML configuration file for CiscoAnyConnect
echo "Installing XML configuration file for CiscoAnyConnect..."

# Path to the XML configuration file
config_file="/path/to/your/config.xml"

# Destination directory for the configuration file
destination_dir="/opt/cisco/anyconnect/profile"

# Copy the configuration file to the destination directory
sudo cp "$config_file" "$destination_dir"

if [ $? -ne 0 ]; then
  echo "Failed to install XML configuration file. Aborting installation."
  exit 1
fi

echo "XML configuration file installed successfully. Proceeding with CiscoAnyConnect installation."
exit 0

Scenario 3: Remove pre-existing resource files and images for swiftDialog

Source code available at: Microsoft Shell Intune Samples - SwiftDialog

# Define any variables we need here:
logDir="/Library/Application Support/Microsoft/IntuneScripts/Swift Dialog" DIALOG_BIN="/path/to/SwiftDialog" # Set this to the path where SwiftDialog is expected to be installed PKG_PATH="/var/tmp/dialog.pkg" PKG_URL="https://github.com/swiftDialog/swiftDialog/releases/download/v2.5.2/dialog-2.5.2-4777.pkg"

#Start Logging
mkdir -p "$logDir" exec > >(tee -a "$logDir/preinstall.log") 2>&1
if [ -e "/Library/Application Support/Dialog" ]; then 
  echo "$(date) | PRE | Removing previous installation" 
  rm -rf "/Library/Application Support/Dialog" 
  rm -rf "/Library/Application Support/SwiftDialogResources" 
  rm -rf "/usr/local/bin/dialog" 
fi

#Download the SwiftDialog .pkg
curl -L -o "$PKG_PATH" "$PKG_URL"

# Install SwiftDialog from the downloaded .pkg file
sudo installer -pkg "$PKG_PATH" -target /
if [[ $? -eq 0 ]]; then 
  echo "$(date) | POST | Swift Dialog has been installed successfully." else 
  echo "$(date) | ERROR | Swift Dialog installation failed." 
  exit 1 
fi


echo "$(date) | PRE | Completed Pre-install script" 
exit 0

Post-install scripts

You can use post-install scripts to perform tasks that need to be done after the installation. Post-install scripts run after Intune successfully installs the application. Examples include configuring the application, setting up user preferences, or cleaning up temporary files created during the installation process. If the application installation fails, the post-installation script won’t run. Note that post-install script failure isn't reported and the Intune agent doesn’t retry a failed post-install script. A successful app installation followed by a failed post-install script will report the app installation status as "success" in the admin center.

Sample post-install scripts scenarios

Scenario: Logging historic versions of installed apps

Record and save a log of historic versions of the application installed on the targeted device. This log can be stored locally on the device for future reference and auditing purposes.

#!/bin/bash

# Example: Log historic versions of installed app
echo "Logging historic versions of installed app..."

# Path to the log file
log_file="/path/to/your/logfile.txt"

# Get the current version of the app (replace with actual command)
app_version=$(your_app_command --version)

# Append the current version to the log file with a timestamp
echo "$(date): Installed version $app_version" >> "$log_file"

if [ $? -ne 0 ]; then
  echo "Failed to log the app version."
  exit 1
fi

echo "App version logged successfully."
exit 0

In summary, the implementation of pre-install and post-install scripts in Intune for macOS managed devices provides robust capabilities for enhancing application deployment and management. By incorporating post-install scripts like license activation and logging historic versions of installed apps, admins can ensure applications are not only correctly installed but also fully operational and auditable. This approach not only improves the efficiency of app deployment but also helps maintain a high standard of compliance and functionality across all managed devices. Proper handling and customization of these scripts pave the way for a smoother, more reliable management experience in macOS environments.

If you missed it, check out Understanding application types in Microsoft Intune for macOS, Exploring the use cases of payloadless packages in Microsoft Intune for macOS, and let us know if you have any questions, by leaving a comment or reach out to X @IntuneSuppTeam.