Application Management and Patching

Workaround for Installing Application Workspace Universal Agent on macOS 

Topics: Application Management and Patching, Intune

I wanted to share a quick update about an issue we’re currently facing with the installation of the Application Workspace Universal Agent or using the Bootstrapper to do so. This issue appeared due to a recent change by Apple and affects macOS 15.1 (Sequoia) and later versions. The good news is that this issue will be resolved in Application Workspace version 4.3. Until then, we’ll need to use a workaround, which I’ll detail in this blog. 

What’s the Issue? 

When installing the Application Workspace Universal Agent on this specific macOS version, the installation will not be executed properly, so the device will not register within the zone. Any deployment that was supposed to start fails, even when using the Application Workspace Bootstrapper. 

Workaround for Installing Application Workspace Universal Agent on macOS - bootstrapper

You might encounter issues like the Liquit Root CA certificate not being installed under System Keychains. You can verify this using the Keychain Access app, where the Liquit Root CA certificate is missing. 

Keychain Access

As seen in the Agent.log, the Liquit Root CA certificate installation fails. The result is that the Application Workspace Universal Agent cannot register the device within the zone specified in the Agent.json file. 

Agent.json file

The Workaround 

Nowadays, many organizations manage both Windows and macOS devices using Microsoft Intune. Intune’s ability to provide centralized management for multiple operating systems makes it a popular choice. Using Microsoft Intune as a Mobile Device Management (MDM) solution for Apple macOS devices offers several compelling advantages, particularly when configuring a trusted root CA certificate. Here’s how you can achieve this within Intune. Of course, this can also be done with other MDM solutions. 

Option 1: Deploying the Liquit Root CA Certificate via Microsoft Intune   

  • Download the Liquit Root CA certificate from my GitHub. If the Application Workspace Universal Agent is already installed, you can find the Liquit Root CA certificate on macOS at /Applications/Liquit/Contents/Resources, named Agent.pfx. 
  • Go to Intune >> Devices >> macOS
Intune portal - macOS
  • Click on Configuration (under Manage devices) >> Create >> New Policy.
Intune - create new policy
  • Select Templates under Profile Type.
  • Click on Trusted certificate and then Create.
Intune - create a profile
  • Enter a desired name, for example, “Application Workspace Root CA”. Optionally, add a description if needed, and click Next
Trusted certificate - name
  • Leave the Deployment Channel on Device Channel, browse to the certificate you downloaded in step 1, and click Next. 
  • Click on Add groups and add a group of devices that should receive this certificate. Click Next.
  • In the final step, click Create, and you’re done. 

Intune will now install the Application Workspace Root CA certificate on the group of macOS devices. Give it some time, and it will eventually be installed.

Application Workspace Root CA

Now functional

Now, when I install the Application Workspace Universal Agent using the Bootstrapper, it should work correctly, and the device will register with the zone, allowing the Application Workspace deployment to proceed smoothly. 

Application Workspace Universal Agent using the Bootstrapper - functional

Workaround for Installing Application Workspace Universal Agent on macOS - Root CA

Note: In Microsoft Intune, configuration policies are typically applied before installing apps or running scripts. This ensures that the necessary settings and configurations are in place before the apps are used or scripts are executed. So, the Application Workspace Root CA certificate will be present before we install the Application Workspace Universal Agent with the Bootstrapper. 

Option 2: Temporarily Using Agent Credentials 

There are several ways to register a device, and one alternative workaround is to temporarily use Agent credentials until this issue is fixed in Application Workspace 4.3. This can also be effectively managed with Intune or another MDM solution. 

Conclusion 

In summary, while the installation issue with the Application Workspace Universal Agent on macOS 15.1 (Sequoia) and later is temporary, these workarounds offer effective solutions until the release of Application Workspace version 4.3. By deploying the Liquit Root CA certificate through Microsoft Intune or another MDM solution, or by temporarily using Agent credentials, you can ensure your devices register correctly and deployments proceed smoothly. We appreciate your patience and are committed to resolving this issue promptly. 

Back to Top