New block screen capture for iOS/iPadOS MAM protected apps
Following the announcement of Microsoft Intune support for Apple Intelligence, we recently introduced support to block screen capture for mobile application management (MAM) protected apps. This blog provides details of the default screen capture behavior to help you understand how it affects your users and the settings available to change the default behaviour. Background Previously, for iOS/iPadOS, there were no controls to limit screen captures per application, per user or without device enrollment. this resulted in a gap for organizations with only MAM protection. As part of our secure-by-default commitment, the new default behavior for your MAM-protected app may have changed. Now, based on your Intune app protection policy settings, when a user attempts to screen capture or share the screen from a managed account within a MAM-protected app, a blank screen will be captured instead of the actual screen image. How the MAM block screen capture works In Intune, the screen capture is controlled using the existing Send Org data to other apps setting within the Data Protection section of the iOS app protection policy (APP) and is blocked if both the following conditions are met: The app (Microsoft apps, third-party apps, or your line-of-business (LOB) app) is updated to use Intune App SDK v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16. The app is targeted by APP and the setting Send Org data to other apps is set to “None” or any of the “Policy managed apps...” values. If Send Org data to other apps is configured to “All Apps”, the screen capture for your MAM protected apps isn’t blocked. Changing the default MAM screen capture block For some scenarios, you may wish to allow screen capture while retaining the existing APP configuration, such as allowing screen capture and sharing to policy managed apps. Therefore, we introduced a Managed app configuration key com.microsoft.intune.mam.screencapturecontrol = Disabled” to override the default behavior. To allow screen capture on iOS devices targeted with an app protection policy, follow these steps: Navigate to the Microsoft Intune admin center. Select Apps > App configuration policies > Create > Managed apps. On the Basics page, select the apps you wish to target. For this example we’ve selected Outlook (iOS/iPadOS), Teams (iOS/iPadOS) and an LOB app. On the Settings page, within the "General configuration settings” section, add the key "com.microsoft.intune.mam.screencapturecontrol" with the value "Disabled". Assign the configuration policy to the users who you want to target with the override setting. For more details, refer to Add an app configuration policy for managed apps on iOS/iPadOS and Android devices. Conclusion To keep your organizations secure, based on your policy, all screen capture attempts are blocked for MAM protected apps. The managed app configuration settings detailed in this blog allows you to override the default settings to meet any specific requirements within your organization. Stay tuned to What's new in Microsoft Intune for future improvements to the blocking screen capture capabilities and more Apple Intelligence features. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.From the frontlines: Frontline worker management with Microsoft Intune
So, here we are. You’ve been asked to start managing frontline devices for your organization with Intune. You may be a pro with Intune management - with experience managing Windows devices, personal mobile devices, or corporate-owned productivity user based mobile devices. Maybe you just completed your migration efforts from another product to Intune for some portion of your device estate. Or this may be your first interaction with Intune. Regardless of where you’re starting from, managing frontline worker devices in Intune is simple, and you can even leverage existing Intune policies you already configured. So, get out that rugged bar code scanner, Android tablet, kiosk device, shared iPad, wearable device, or any other frontline worker device and let’s get started! My name is Dan Andersen, Principal PM Manager at Microsoft. My team partners directly with engineering to assist in product development and our worldwide team has assisted over 1,800 enterprises successfully onboard their device scenarios into Intune. In this post I’m introducing a blog series focused on frontline worker (FLW) device management. Why focus on FLW? This space represents a multitude of devices and use-cases that have enabled frontline workers, and we’ve worked with others like you to craft great FLW solutions. We will use this series to share these solutions and options with you and hopefully make your FLW journey with Intune seamless and exciting. Before getting into the series, if you’re looking for some background on FLW usage examples, check out the Microsoft Intune Blog: Microsoft Intune empowers frontline workers in retail and beyond. Throughout this year we’ll deliver monthly blogs delving into FLW use-cases and how to manage these devices. We’ll dive into key scenarios and explain how to approach them and at times, specifically how to configure them. Instead of rewriting product documentation, we’ll include links to more details when applicable, and keep the posts focused on enabling success. Each blog post will be published here in the Microsoft Intune Customer Success blog and include “From the Frontlines:” in the title for easy searching. For quick reference, we’ll keep this table updated as we publish the series, so stay tuned here or follow us @IntuneSuppTeam on X for more in the coming months! Blog Topics Publish date From the frontlines: Revolutionizing healthcare worker experience February 28, 2025Exploring the use cases of payloadless packages in Microsoft Intune for macOS
By: Iris Yuning Ye | Product Manager - Microsoft Intune Payloadless PKGs are a powerful tool that extends macOS app management functionality. A payloadless PKG is a type of package file used primarily in macOS environments that doesn’t contain or deliver any actual application or data files. Using Intune, you can deploy payloadless PKGs to managed macOS endpoints using built-in macOS PKG management capabilities. The best use case of payloadless PKGs is for running scripts on-demand. Additionally, since payloadless packages are PKG files installed via macOS agent channel, pre-install and post-install scripts are also available. Important: From a support perspective, Microsoft fully supports Intune and its ability to deploy scripts. However, Microsoft does not support the scripts themselves, even if they’re on our GitHub repository. They’re provided for example only. You’re responsible for anything that they may do within your environment. Always test! The example below is a script that modifies the desktop dock. You can deploy this to managed macOS endpoints using a payloadless PKG. This is a partial code snippet only to present the key dock configuration. To fully modify the endpoint’s desktop dock, you need to update the script further including specifying local app paths and adding logic to conditionally configure the dock that applies to your environment. For the complete script, refer to: Microsoft Shell Intune Samples - Dock. (Omitted the preparation code lines) # Check if apps are installed if [[ "$waitForApps" == true ]]; then echo "$(date) | Waiting for apps to be installed..." wait_for_apps_installation 900 # Wait 900 seconds for apps to be installed fi #if useDockUtil is true, use dockutil to configure the dock if [[ "$useDockUtil" == true ]]; then echo "$(date) | Configuring dock with dockutil" install_dockutil_if_missing configure_dock_with_dockutil else echo "$(date) | Configuring dock with plist" configure_dock_via_plist fi By deploying this via a payloadless app, you can make it available in the Intune Company Portal. To do this you’ll need to use a payloadless package (Intune Unmanaged PKG) and a post-install script (Intune PKG Post Install Script). Upload dock.pkg to Intune: This is a totally empty PKG that creates a receipt name of com.intune.dock. For guided steps on how to upload the PKG refer to: Add an unmanaged macOS PKG app to Microsoft Intune. When you assign the package, ensure that you do it as available. Paste dock5.sh contents as Post Install Script: For this flow, ensure that waitForApps is set to false. For details of pre-install and post-install scripts, refer to the blog: Understand pre-install and post-install scripts in macOS Intune. Here is a demo of what it looks like when you deploy this payloadless package to modify endpoint desktop dock: There are multiple app types available for deployment from Microsoft Intune to managed endpoints including macOS PKGs which you also use for payloadless PKGs. Learn more about the different app types in the blog: Understanding application types in Microsoft Intune for macOS. > macOS > Add App > macOS app (PKG)). In conclusion, payloadless PKGs are a versatile tool that enhances macOS app management. With the ability to add and configure macOS apps in Intune, you can maintain a high level of control and flexibility over your macOS app deployments. For more information on adding and deploying a macOS PKG in Intune, refer to: Add an unmanaged macOS PKG app to Microsoft Intune. If you missed it, check out Understanding application types in Microsoft Intune for macOS, and Understand pre-install and post-install scripts for macOS in Microsoft Intune, and let us know if you have any questions, by leaving a comment or reach out to X @IntuneSuppTeam.Blocking and removing apps on Intune managed devices (Windows, iOS/iPadOS, Android and macOS)
By: Michael Dineen - Sr. Product Manager | Microsoft Intune This blog was written to provide guidance to Microsoft Intune admins that need to block or remove apps on their managed endpoints. This includes blocking the DeepSeek – AI Assistant app in accordance with government and company guidelines across the world (e.g. the Australian Government’s Department of Home Affairs Protective Policy Framework (PSPF) Direction 001-2025, Italy, South Korea). Guidance provided in this blog uses the DeepSeek – AI Assistant and associated website as an example, but you can use the provided guidance for other apps and websites as well. The information provided in this guidance is supplemental to previously provided guidance which is more exhaustive in the steps administrators need to take to identify, report on, and block prohibited apps across their managed and unmanaged mobile devices: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. iOS/iPadOS devices For ease of reference, the below information is required to block the DeepSeek – AI Assistant app: App name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Link to Apple app store page: DeepSeek – AI Assistant Publisher: 杭州深度求索人工智能基础技术研究有限公司 Corporate devices (Supervised) Hide and prevent the launch of the DeepSeek – AI Assistant app The most effective way to block an app on supervised iOS/iPadOS devices is to block the app from being shown or being launchable. Create a new device configuration profile and select Settings Catalog for the profile type. (Devices > iOS/iPadOS > Configuration profiles). On the Configuration settings tab, select Add settings and search for Blocked App Bundle IDs. Select the Restrictionscategory and then select the checkbox next to the Blocked App Bundle IDs setting. Enter the Bundle ID: com.deepseek.chat Assign the policy to either a device or user group. Note: The ability to hide and prevent the launch of specific apps is only available on supervised iOS/iPadOS devices. Unsupervised devices, including personal devices, can’t use this option. Uninstall the DeepSeek – AI Assistant app If a user has already installed the app via the Apple App Store, even though they will be unable to launch it when the previously described policy is configured, it’ll persist on the device. Use the steps below to automatically uninstall the app on devices that have it installed. This policy will also uninstall the app if it somehow gets installed at any point in the future, while the policy remains assigned. Navigate to Apps > iOS/iPadOS apps. Select + Add and choose iOS store app from the list. Search for DeepSeek – AI Assistant and Select. Accept the default settings, then Next. Modify the Scope tags as required. On the Assignments tab, under the Uninstall section, select + Add group or select + Add all users or + Add all devices, depending on your organization’s needs. Click the Create button on the Review + create tab to complete the setup. Monitor the status of the uninstall by navigating to Apps > iOS/iPadOS, selecting the app, and then selecting Device install status or User install status. The status will change to Not installed. Personal Devices – Bring your own device (BYOD) Admins have fewer options to manage settings and apps on personal devices. Apple provides no facility on unsupervised (including personal) iOS/iPadOS devices to hide or block access to specified apps. Instead, admins have the following options: Use an Intune compliance policy to prevent access to corporate data via Microsoft Entra Conditional Access (simplest and quickest to implement). Use a report to identify personal devices with specific apps installed. Takeover the app with the user’s consent. Uninstall the app. This guide will focus on option 1. For further guidance on the other options refer to: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Identify personal devices that have DeepSeek – AI Assistant installed and prevent access to corporate resources You can use compliance policies in Intune to mark a device as either “compliant” or “not compliant” based on several properties, such as whether a specific app is installed. Combined with Conditional Access, you can now prevent the user from accessing protected company resources when using a non-compliant device. Create an iOS/iPadOS compliance policy, by navigating to Devices > iOS/iPadOS > Compliance policies > Create policy. On the Compliance settings tab, under System Security > Restricted apps, enter the name and app Bundle ID and select Next. Name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Under Actions for noncompliance, leave the default action Mark device noncompliant configured to Immediately and then select Next. Assign any Scope tags as required and select Next. Assign the policy to a user or device group and select Next. Review the policy and select Create. Devices that have the DeepSeek – AI Assistant app installed are shown in the Monitor section of the compliance policy. Navigate to the compliance policy and select Device status, under Monitor > View report. Devices that have the restricted app installed are shown in the report and marked as “Not compliant”. When combined with the Require device to be marked as compliant grant control, Conditional Access blocks access to protected corporate resources on devices that have the specified app installed. Android devices Android Enterprise corporate owned, fully managed devices Admins can optionally choose to allow only designated apps to be installed on corporate owned fully managed devices by configuring Allow access to all apps in Google Play store in a device restrictions policy. If this setting has been configured as Block or Not configured (the default), no additional configuration is required as users are only able to install apps allowed by the administrator. Uninstall DeepSeek To uninstall the app, and prevent it from being installed via the Google Play Store perform the following steps: Add a Managed Google Play app in the Microsoft Intune admin center by navigating to Apps > Android > Add, then select Managed Google Play app from the drop-down menu. r DeepSeek – AI Assistant in the Search bar, select the app in the results and click Select and then Sync. Navigate to Apps > Android and select DeepSeek – AI Assistant > Properties > Edit next to Assignments. Under the Uninstall section, add a user or device group and select Review + save and then Save. After the next sync, Google Play will uninstall the app, and the user will receive a notification on their managed device that the app was “deleted by your admin”: The Google Play Store will no longer display the app. If the user attempts to install or access the app directly via a link, the example error below is displayed on the user’s managed device: Android Enterprise personally owned devices with work profile For Android Enterprise personally owned devices with a work profile, use the same settings as described in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile. Note: Apps installed outside of the work profile can’t be managed by design. Windows devices You can block users from accessing the DeepSeek website on Windows devices that are enrolled into Microsoft Defender for Endpoint. Blocking users’ access to the website will also prevent them from adding DeepSeek as a progressive web app (PWA). This guidance assumes that devices are already enrolled into Microsoft Defender for Endpoint. Using Microsoft Defender for Endpoint to block access to websites in Microsoft Edge First, Custom Network Indicators needs to be enabled. Note: After configuring this setting, it may take up to 48 hours after a policy is created for a URL or IP Address to be blocked on a device. Access the Microsoft Defender admin center and navigate to Settings > Endpoints > Advanced features and enable Custom Network Indicators by selecting the corresponding radio button. Select Save preferences. Next, create a Custom Network Indicator. Navigate to Settings > Endpoints > Indicators and select URLs/Domains and click Add Item. Enter the following, and then click Next: URL/Domain: https://deepseek.com Title: DeepSeek Description: Block network access to DeepSeek Expires on (UTC): Never You can optionally generate an alert when a website is blocked by network protection by configuring the following and click Next: Generate alert: Ticked Severity: Informational Category: Unwanted software Note: Change the above settings according to your organization’s requirements. Select Block execution as the Action and click Next, review the Organizational scope and click Next. Review the summary and click Submit. Note: After configuring the Custom Network Indicator, it can take up to 48 hours for the URL to be blocked on a device. Once the Custom Network Indicator becomes active, the user will experience the following when attempting to access the DeepSeek website via Microsoft Edge: Using Defender for Endpoint to block websites in other browsers After configuring the above steps to block access to DeepSeek in Microsoft Edge, admins can leverage Network Protection to block access to DeepSeek in other browsers. Create a new Settings Catalog policy by navigating to Devices > Windows > Configuration > + Create > New Policy and selecting the following then click Create: Platform: Windows 10 and later Profile type: Settings Catalog Enter a name and description and click Next. Click + Add settings and in the search field, type Network Protection and click Search. Select the Defender category and select the checkbox next to Enable Network Protection. Close the settings picker and change the drop-down selection to Enabled (block mode) and click Next. Assign Scope Tags as required and click Next. Assign the policy to a user or device group and click Next. Review the policy and click Create. When users attempt to access the website in other browsers, they will experience an error that the content is blocked by their admin. macOS macOS devices that are onboarded to Defender for Endpoint and have Network Protection enabled are also unable to access the DeepSeek website in any browser as the same Custom Network Indicator works across both Windows and macOS. Ensure that you have configured the Custom Network Indicator as described earlier in the guidance. Enable Network Protection Enable Network Protection on macOS devices by performing the following in the Microsoft Intune admin center: Create a new configuration profile by navigating to Devices > macOS > Configuration > + Create > New Policy > Settings Catalog and select Create. Enter an appropriate name and description and select Next. Click + Add settings and in the search bar, enter Network Protection and select Search. Select the Microsoft Defender Network protection category and select the checkbox next to Enforcement Level and close the Settings Picker window. In the dropdown menu next to Enforcement Level, select Block and select Next. Add Scope Tags as required and select Next. Assign the policy to a user or devices group and select Next. Review the policy and select Create. The user when attempting to access the website will experience the following: Conclusion This blog serves as a quick guide for admins needing to block and remove specific applications on their Intune managed endpoints in regulated organizations. Additional guidance for other mobile device enrollment methods can be found here: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Additional resources For further control and management of user access to unapproved DeepSeek services, consider utilizing the following resources. This article provides insights into monitoring and gaining visibility into DeepSeek usage within your organization using Microsoft Defender XDR. Additionally, our Microsoft Purview guide offers valuable information on managing AI services and ensuring compliance with organizational policies. These resources can help enhance your security posture and ensure that only approved applications are accessible to users. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.Understanding application types in Microsoft Intune for macOS
By: Iris Yuning Ye | Product Manager - Microsoft Intune As an IT admin managing macOS endpoints, leveraging Microsoft Intune for app deployment can streamline your workflow and enhance security. If you can install an app via macOS embedded terminal, we want to make sure Intune can do the same thing at scale for your devices. Intune supports various app types, each with its unique use cases and benefits. In this blog, we’ll explore the differences among these app types and provide guidance on when and how to use each one. > macOS > Add app). There are two channels for apps that are deployed in Intune to managed macOS endpoints: Apple’s mobile device management (MDM): The MDM channel is the built-in device management channel provided by Apple. When using the MDM channel, there are strict rules ensuring apps are installed from trusted sources are recognized by Apple. Review Apple’s documentation for further details: Distribute custom packages for Mac - Apple Platform Deployment. Intune agent: The Intune agent channel allows more flexible app installations from Microsoft Intune on managed macOS endpoints. For this channel, admins must upload the DMG or PKG file to Intune. The macOS device then downloads this file and installs the app locally. MDM channel apps Microsoft apps These are Microsoft first-party apps that can be directly installed from Intune, and you don’t need to upload any file. In addition, Intune installs Microsoft AutoUpdate to run in the background on macOS, and will update the existing Microsoft apps to the latest version available at the time. Recommended usage scenario: You want to be on the latest version of the core Microsoft apps without having to upload the apps or maintain upgrades over time. Add these apps through the Intune admin center by selecting the specific apps you want to deploy. Also, ensure your users have the necessary licenses to access these apps. Find more details in: Understand Microsoft apps in Microsoft Intune. App Store – Volume Purchase Program (VPP) apps Since Apple VPP apps are managed via Apple Business Manager or Apple School Manger and synchronized to Intune via a VPP token, this option is not available in the dropdown list for Intune app types. Recommended usage scenario: You need to manage (assign/revoke/reassign) licenses of free or purchased store apps or custom apps. Or, you need to deploy App Store apps without the user having to log in to the App Store. This can be achieved by using device licensing. Apple supports uploading PKG from App Store, but you will need access to: Apple Developer account Apple Developer certificate Apple App Store notarization Find more details in: How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune. Web clip Web clips are used to direct users to specific web resources from within the Intune Company Portal. This is helpful for guiding users to important sites or resources. Recommended usage scenario: You need to provide easy access to websites as pinned Dock items. Add a web link in Intune by specifying the URL. It will appear in the Company Portal as “Required app” for easy access. Find more details in: Add web apps to Microsoft Intune. Web link Web link shares similar functionalities with Web clip. But web clip has the most up to date settings, so we recommend using web clip to cover web link cases. Find more details in: Add web apps to Microsoft Intune. Line-of-business (LOB) app macOS LOB apps are typically developed in-house. This app type requires you to upload a PKG file to Intune. Then, Intune installs the LOB app on the user's device. It’s highly recommended to only upload flat packages, which must not have nested folders within the archive. Recommended usage scenario: You need to manage app removal on Intune MDM unenrollment and manage whether the app data is backed up to iCloud. The apps must be marked as “install as managed”. Your PKG app is signed using an Apple Developer ID installer certificate. PKGs for LOB apps must be signed using an Apple Developer ID installer certificate. If you need to distribute a PKG that is unsigned, use the macOS (PKG) option instead. Find more details in: Understand line-of-business apps for your managed environment. Intune agent channel apps macOS DMG app An admin has to upload a DMG file from local when creating a new app policy in admin portal. The .app under the DMG file will be copied to the Application folder to install on the device. Recommended usage scenario: You need to deploy a disk image that contains one or more applications in .app format to be installed to the Applications folder. Note that all apps are unmanaged and won’t be uninstalled when the MDM profile is removed. Find more details in: Add a macOS DMG app to Microsoft Intune. macOS PKG app An admin has to upload a PKG file from local when creating a new app policy in the admin center. Complex PKGs are also supported by this deployment type. Complex PKG: A complex PKG refers to a type of package file used primarily in macOS environments that includes more intricate configurations and requirements compared to standard PKG files. These packages often contain multiple components, scripts, and dependencies that need to be managed during the installation process. Recommended usage scenario: You need to deploy a PKG with advanced controls for pre-install or post-install scripts. You need to deploy a PKG containing only scripts and no app payload. You need to deploy a PKG that the macOS LOB app workflow cannot install. You need to deploy a PKG that is not signed by an Apple Developer ID installer certificate. Pre-install and post-install scripts are available for apps installed via Intune agent. Note that all apps are unmanaged and won’t be uninstalled when the MDM profile is removed. Find more details in: Add an unmanaged macOS PKG app to Microsoft Intune. Conclusion In summary, Intune provides robust support for managing macOS endpoints through its comprehensive app deployment capabilities, allowing you to confidently deploy and manage a variety of application types to meet the diverse needs of your organization. If you missed it, check out Exploring the use cases of payloadless packages in Microsoft Intune for macOS, and Understand pre-install and post-install scripts for macOS in Microsoft Intune. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.Understand pre-install and post-install scripts for macOS in Microsoft Intune
By: Iris Yuning Ye | Product Manager - Microsoft Intune Pre-install and post-install scripts for macOS PKG apps aims to reduce the overhead and pressure on IT admins that typically comes with repackaging PKGs. It also enables an expanded set of options during app installation. In this blog we’ll explore several scenarios where these scripts are helpful. This blog is part of a series in better understanding app management for macOS devices, check out Understanding application types in Microsoft Intune for macOS. Caption: A screenshot of the pre-install and post-install script fields in the Microsoft Intune admin center. (Apps > macOS > Add app macOS app (PKG) > Program). Pre-install scripts Intune runs pre-install scripts before the application’s installed but only if the app isn’t detected as already installed. You can use pre-install scripts to validate the endpoint state prior to app installation or prepare the endpoint for the app’s installation. Examples of this include checking for prerequisites, configuring settings needed by the application, or removing conflicting applications. You can see the results of pre-install scripts in the Microsoft Intune admin center under Apps > macOS apps > [select targeted app] > Device install status. If the pre-install script exits with a non-zero code, which indicates a failure, the status details in the admin center will report the following: “The custom pre-install script did not complete successfully. (0X87D3014A)” as shown in the screenshot below. You can find reference on how to interpret the install status in Add an unmanaged macOS PKG app to Microsoft Intune. Important: From a support perspective, Microsoft fully supports Intune and its ability to deploy scripts. However, Microsoft does not support the scripts themselves, even if they are on our GitHub repository. They’re provided for example only. You are responsible for anything that they may do within your environment. Always test! Sample pre-install scripts scenarios Scenario 1: Pre-requisite configurations before Microsoft Defender for Endpoint app installation Ensure that all necessary configurations are completed before installing the Defender for Endpoint app. This includes setting up specific system settings or prerequisites that the Defender for Endpoint app requires to function correctly. #!/bin/bash # Example configuration: Set up a specific system setting echo "Configuring system settings for MDEapp installation..." # Add your configuration commands here # For example, enabling a specific security feature sudo /usr/bin/security_feature --enable if [ $? -ne 0 ]; then echo "Failed to configure system settings. Aborting installation." exit 1 fi echo "System settings configured successfully. Proceeding with Defender for Endpoint app installation." exit 0 Scenario 2: Ensure that the Cisco AnyConnect client is configured to connect to a specific server by installing the required XML configuration file before the application is installed. #!/bin/bash # Example configuration: Install XML configuration file for CiscoAnyConnect echo "Installing XML configuration file for CiscoAnyConnect..." # Path to the XML configuration file config_file="/path/to/your/config.xml" # Destination directory for the configuration file destination_dir="/opt/cisco/anyconnect/profile" # Copy the configuration file to the destination directory sudo cp "$config_file" "$destination_dir" if [ $? -ne 0 ]; then echo "Failed to install XML configuration file. Aborting installation." exit 1 fi echo "XML configuration file installed successfully. Proceeding with CiscoAnyConnect installation." exit 0 Scenario 3: Remove pre-existing resource files and images for swiftDialog Source code available at: Microsoft Shell Intune Samples - SwiftDialog # Define any variables we need here: logDir="/Library/Application Support/Microsoft/IntuneScripts/Swift Dialog" DIALOG_BIN="/path/to/SwiftDialog" # Set this to the path where SwiftDialog is expected to be installed PKG_PATH="/var/tmp/dialog.pkg" PKG_URL="https://github.com/swiftDialog/swiftDialog/releases/download/v2.5.2/dialog-2.5.2-4777.pkg" #Start Logging mkdir -p "$logDir" exec > >(tee -a "$logDir/preinstall.log") 2>&1 if [ -e "/Library/Application Support/Dialog" ]; then echo "$(date) | PRE | Removing previous installation" rm -rf "/Library/Application Support/Dialog" rm -rf "/Library/Application Support/SwiftDialogResources" rm -rf "/usr/local/bin/dialog" fi #Download the SwiftDialog .pkg curl -L -o "$PKG_PATH" "$PKG_URL" # Install SwiftDialog from the downloaded .pkg file sudo installer -pkg "$PKG_PATH" -target / if [[ $? -eq 0 ]]; then echo "$(date) | POST | Swift Dialog has been installed successfully." else echo "$(date) | ERROR | Swift Dialog installation failed." exit 1 fi echo "$(date) | PRE | Completed Pre-install script" exit 0 Post-install scripts You can use post-install scripts to perform tasks that need to be done after the installation. Post-install scripts run after Intune successfully installs the application. Examples include configuring the application, setting up user preferences, or cleaning up temporary files created during the installation process. If the application installation fails, the post-installation script won’t run. Note that post-install script failure isn't reported and the Intune agent doesn’t retry a failed post-install script. A successful app installation followed by a failed post-install script will report the app installation status as "success" in the admin center. Sample post-install scripts scenarios Scenario: Logging historic versions of installed apps Record and save a log of historic versions of the application installed on the targeted device. This log can be stored locally on the device for future reference and auditing purposes. #!/bin/bash # Example: Log historic versions of installed app echo "Logging historic versions of installed app..." # Path to the log file log_file="/path/to/your/logfile.txt" # Get the current version of the app (replace with actual command) app_version=$(your_app_command --version) # Append the current version to the log file with a timestamp echo "$(date): Installed version $app_version" >> "$log_file" if [ $? -ne 0 ]; then echo "Failed to log the app version." exit 1 fi echo "App version logged successfully." exit 0 In summary, the implementation of pre-install and post-install scripts in Intune for macOS managed devices provides robust capabilities for enhancing application deployment and management. By incorporating post-install scripts like license activation and logging historic versions of installed apps, admins can ensure applications are not only correctly installed but also fully operational and auditable. This approach not only improves the efficiency of app deployment but also helps maintain a high standard of compliance and functionality across all managed devices. Proper handling and customization of these scripts pave the way for a smoother, more reliable management experience in macOS environments. If you missed it, check out Understanding application types in Microsoft Intune for macOS, Exploring the use cases of payloadless packages in Microsoft Intune for macOS, and let us know if you have any questions, by leaving a comment or reach out to X @IntuneSuppTeam.
