macOS Enrollment in Microsoft Intune: Simplified with this Bootstrapper Script

The new year has begun, and my colleagues and I published several blogs toward the end of 2024 about the powerful combination of Microsoft Intune and Recast Application Workspace. We’ve highlighted how we enhance Intune, especially when it comes to Application Management. Our Bootstrapper with the Windows OS was used extensively here. But what if your organization also manages macOS devices with Intune or plans to do so in the near future? 

In this post, I’ll address that very question. My colleague, Matthew Gonzalez Nieves, wrote an excellent blog on this topic, which continues to offer a great solution. With the introduction of the Application Workspace Agent Bootstrapper for macOS, I felt it was time to revisit and update the process. This blog will focus on simplifying the enrollment of macOS devices in Microsoft Intune using the Application Workspace Agent Bootstrapper. Think of it as a refreshed version of Matthew’s original post. 

Understanding the Agent Bootstrapper 

Application Workspace Agent Bootstrapper is a tool that helps install or update the Application Workspace Agent or Universal Agent and optionally run a deployment after installation. It runs on both Windows and macOS platforms. The Bootstrapper can be downloaded from here. 

Advantages of using the bootstrapper:

1. Check to see whether the agent is present. If not, it will download and install the Application Workspace Agent from an Application Workspace environment. 
2. Updates older versions of the Agent to keep endpoints aligned with the latest features and requirements. 
3. Configures the Agent with the necessary settings in the Agent.json. 
4. Maintain consistency by ensuring all devices are configured identically and comply with their company policies. 
5. Allows custom installations using command-line parameters to tailor the installation and configuration process. 
6. Optionally start a deployment after successful installation of the agent. 

The macOS Enrollment Script Explained

I’ve written a Bash script that’s natively supported by macOS. It’s a simple script that you can expand with additional checks and features as needed. You can find the script, “Bootstrapper_macOS.sh,” on my GitHub.

Here’s what the script does:

• First, it checks if an Application Workspace Agent is already installed.
• It creates a destination directory called “ApplicationWorkspace” under /tmp.
• It downloads the Agent.json and a necessary self-signed certificate from an Azure Storage container to the destination directory /tmp/ApplicationWorkspace/.
• The Bootstrapper is directly downloaded from our download page to the destination directory /tmp/ApplicationWorkspace/.

Log File

The Bootstrapper will create its own log file, “BootstrapAgent.log,” which this script places in the destination directory /tmp/ApplicationWorkspace/. You can change this location with the –LogPath command.

From Script to Action: Adding the Script in Intune 

Now comes the fun part! We’ll take our script and unleash it into Intune. 

Note: We’re currently dealing with some challenges installing the Application Workspace Universal Agent or using the Bootstrapper. This issue popped up due to a recent change by Apple and affects macOS 15.1 (Sequoia) and later versions. While our team is hard at work on a fix, we’ll need to use a workaround for now. The workaround needs to be in place before beginning with the steps below. I’ve detailed the steps in a previous blog post, which you can check out here. 

1. Go to Microsoft Intune admin center >> Devices >> macOS >> Scripts and click Add 

2. In Basics, Enter a desired name, for example, “Application Workspace Bootstrapper (macOS)”. Optionally, add a description if needed, and click Next.  

3. In Script settings, Click on Upload script and browse to the script. 

4. At the “Run script as signed-in user” option select No. This will run the script as root user. 

5. At the option “Hide script notification on devices” select Yes and click Next. 

6. In Assignments, Click on Add groups and add a group of devices that should receive this script. Click Next. 

7. In Review + add, check in the summary whether all settings have been set correctly. Click Add. 

Conclusion 

That’s all folks! The script has been successfully added to Intune and is now all set for use. Now comes the moment of truth—sit back and relax. Remember, Recast has your back! 

With the Bootstrapper script in place, your macOS devices are enrolled smoothly and updated automatically. This streamlined process not only reduces manual effort but also keeps your organization secure and compliant. If you’re eager to explore more ways to enhance endpoint management, keep an eye on the Recast blog for future updates. You can also follow us on Twitter, LinkedIn, Discord (#recast-software), and YouTube.