A Guide to macOS Package Distribution for Enterprises

 

Understanding macOS PKG Distribution

Understanding the intricacies of macOS PKG distribution is pivotal for your company’s software deployment strategy. Below are the key components and methods you can leverage for distributing macOS packages:

 

Deployment Process Using Management Tools

Munki: This tool provides a detailed, 24-step walkthrough for deploying custom applications, showcasing the thoroughness required for a successful deployment.

Binary Frameworks in Xcode 12: For distributing closed-source libraries, Xcode 12 has introduced support for binary dependencies in Swift packages, enhancing the management of binary frameworks.

InstallApplication Command: This MDM server command is essential for instructing macOS devices to download and install applications or updates. It is packaged in a .plist format, containing details like the bundle identifier and the download URL.

 

MDM Deployment and Configuration Management Tools

MDM and Apple DEP: MDM distribution works hand-in-hand with Apple’s Device Enrollment Program (DEP) and is compatible with third-party solutions such as Trio, Munki, Puppet, or Chef. This combination provides automatic initialization and software installation.

Puppet and Chef: These open-source tools are used for configuration management. Puppet Enterprise, for instance, offers methods for macOS PKG distribution, including a command-line approach that involves multiple steps like SSH access, mounting disk images, and running the Puppet agent.

Fleet Platform: Fleet can be used for macOS device management to distribute the osquery installer and efficiently manage all devices.

 

Steps for Building and Distributing macOS Packages

Building a Product Archive: Use the product build macOS utility to compile and build installation packages. The syntax is as follows: productbuild –component /path/to/your.app /Applications/ output_packagename.pkg.

Using Configuration Management Tools: Tools like Trio, Munki, Chef, Ansible, or Puppet can distribute the osquery installer and integrate devices into Fleet for enterprise environments.

Managing PKG File Installation: The package resource in Puppet and Chef manages the installation of the PKG file, ensuring that the system’s desired state is achieved.

 

Web Distribution of macOS Packages

Hosting on a Website: Create a package containing the necessary content and host it on a website. Ensure the web server is configured to correctly transmit the package, utilizing native Apple MDM commands like InstallApplication to prompt device installation from a specified URL.

 

Symbolic image signifying macOS PKGs on a laptop

 

Key Requirements of macOS/Apple Package Distribution

 

Preparing Your App for Distribution

Configure the Information Property List: This includes setting the bundle ID, assigning your project to a team, and specifying supported destinations.

Usage Descriptions and App Sandbox: Add usage descriptions as needed and configure the App Sandbox for security.

 

Choosing a Container Format

Mac App Store or Developer ID: Decide whether to distribute through the Mac App Store or use Developer ID signing for direct distribution.

Container Formats: For direct distribution, common formats include zip archives, disk images, and installer packages.

 

Building the Container

Zip Archive: Utilize the ditto command-line tool to create a zip archive.

Installer Package: Identify your Installer signing identity and build with the product build tool.

Disk Image File: Create and populate a directory, then use hdiutil to create the disk image file, signing it with codesign.

 

Submitting and Notarizing Your App

Mac App Store Submission: Use the Altool or Transporter app to submit your app.

Notarization: Notarize products distributed outside the Mac App Store, ensuring to staple the notarization ticket to the container.

 

Testing the Distributed Product

Different Scenarios: Test on a different Mac, considering fresh, upgrade, and duplicate distributions, as well as different user account scenarios.

 

Web Distribution Requirements

.ipa Format: For web distribution, ensure apps are built with an in-house provisioning profile and signed by a trusted certificate.

 

Security and User Consent

Security: Code sign, notarize, and take other security measures to protect against threats.

User Notification: Inform users about installations, especially for significant system changes.

 

Documentation and Package Signing

Documentation: Provide clear instructions on installation and post-installation steps.

Signing: Sign all resources within the package and the package itself for notarization.

 

Tools for Creating macOS Packages

Utilize tools like pkgbuild, productbuild, and third-party options like Packages, Composer, and Munki to create your macOS packages, as outlined in this comprehensive guide.

 

Post-Installation Scripts and Permissions

Scripts: Use post-installation scripts to configure software or make system changes.

Full Disk Access: Grant the Packages app full disk access in Privacy and Security settings for a smooth build process.

 

Symbolic image signifying a computer distributing and managing custom macOS Packages

 

Best Practices for Distributing and Managing Custom macOS Packages

When distributing and managing custom macOS packages, it’s essential to adhere to best practices that ensure a smooth and secure deployment process. Here are some guidelines to follow:

 

Deployment Strategies and Package Formats

Use Trio: With Trio, you can automate the deployment of packages, including remote installation actions such as install, cache, install cached, and uninstall.

Supported Formats: Ensure your custom macOS packages are in supported formats like DMG, PKG, or MPKG for hassle-free deployment.

 

Package Content and Execution

Self-Contained Installers: Your custom macOS packages should be self-sufficient, containing all necessary contents for a full installation without the need for external downloads. This streamlines the installation process and reduces dependency on external resources.

Non-User-Specific Installers: Make sure installers are executable outside a specific user environment, allowing installations even when users are not logged in.

 

Scripting and Command Line Installation

Minimal Scripting: Keep preinstall or post-install scripts to a minimum, ensuring they are easy to understand and avoid reliance on external scripting languages.

Command Line Friendly: Packages should be installable via the command line and by any management framework, which is crucial for installations without a logged-in user.

 

Security and Trust

Sign Your Packages: All installer packages should be signed with an Apple Developer ID certificate to establish trust and ensure compatibility with macOS Gatekeeper.

 

Alternative Packaging Methods

For products that are not suitable for Xcode, consider alternative packaging methods such as Zip archive, Disk image, and Installer package. A detailed explanation of these methods can be found here.

 

Distributing macOS Packages Through MDM

Distributing macOS packages through MDM (Mobile Device Management) is a streamlined process that can significantly enhance the efficiency and security of software deployment within your organization. Here’s how you can leverage MDM for the distribution of macOS packages:

 

MDM Distribution Steps

Create a New Group: Start by creating a new group in your MDM platform which contains the target client machines for the macOS package deployment.

Prepare the .pkg File: Download the .pkg file that you intend to distribute and ensure that it is compatible with the system requirements of the client machines.

Add to MDM Catalog: Upload the package file to your MDM solution and add it to the catalog for distribution.

Set Up Auto-Deploy: For solutions like Trio, create an assignment group with auto-deploy enabled, targeting the “content” group for deployment, such as Firefox, to ensure proper software updates.

 

Manual Distribution via MDM

Upload and Assign: Manually upload the macOS package file to your MDM platform and deploy it using assignment groups on the assignments page.

Bundle ID Considerations: Note that MDM does not have a concept of package updates; if a package with a matching bundle ID exists on the device, MDM will attempt to install the new package over the existing one.

 

Integrating with Apple Services

Apple Business Manager: Utilize platforms like Apple Business Manager to purchase, distribute, and manage macOS packages and books for Apple devices.

Automated Device Enrollment: Employ methods like Apple Device Enrollment and Automated Device Enrollment for automatic configuration and deployment of Apple devices with the necessary restrictions.

Remote Configuration: The Apple MDM framework allows for the remote configuration and management of devices, including app installation and monitoring device status.

 

Assignment and Revocation

Apps to Devices or Groups: Assign apps to individual devices or device groups with installation modes including automatic and self-service.

Silent Installation: Supervised devices can receive assigned apps silently, and with iOS 16 and iPadOS 16.1, apps can be installed on supervised devices during Automated Device Enrollment.

License Management: Revoke an app license to remove the app from the device and make the license available for reassignment. Removing a user from managed distribution revokes all their app licenses.

 

MDM Command Support

InstallEnterpriseApplication and InstallApplication: MDM supports commands like InstallEnterpriseApplication and InstallApplication for the deployment of macOS packages.

 

For further guidance on MDM distribution of macOS packages, consider reviewing resources from Apple on network optimization and planning device deployments, as well as exploring the capabilities of Trio MDM for native protocol support and package file management.

 

Monitoring and Managing Apple PKG Deployment

 

Real-Time Monitoring and Alerts

MDM Console: Utilize your MDM solution’s console to monitor the status of macOS package deployments across your fleet of devices. This allows you to see which devices have successfully installed the package and which may have encountered issues.

Alerts and Notifications: Set up alerts and notifications within the MDM platform to be informed of the success or failure of package installations in real-time. This enables prompt response to any issues that may arise.

 

Deployment Reports and Analysis

Comprehensive Reports: Generate detailed reports that provide insights into the deployment process. These reports should include information on installation success rates, failure reasons, and package distribution statistics.

Analyzing Trends: Use the reports to analyze trends and patterns in package deployment. This can help identify common issues or successful strategies that can be applied to future deployments.

 

Incorporating Trio MDM Solution

Enhanced Oversight with Trio MDM: Integrate the Trio MDM solution into your deployment strategy to benefit from its robust monitoring capabilities. Trio MDM can offer a detailed overview of package deployment status, ensuring that your macOS packages are deployed efficiently and securely.

Automated Compliance Checks: With Trio MDM, you can automate compliance checks to ensure that all devices meet the necessary security standards before and after package deployment.

To witness firsthand the positive impact that such a system can have on your operation, you’re invited to try out Trio’s free demo and see how you can make a difference in MDM at your organization. By doing so, you align your company with modern best practices that ultimately drive productivity, maintain security integrity, and uphold user satisfaction—key components of successful IT management in any enterprise.

 

Conclusion: macOS Package Distribution for Enterprises