Intune Company Portal Download Mac



  1. Intune Company Portal Download Macos
  2. Intune Company Portal Download Mac Download
-->Download

Note

Download a sample script to install Company Portal for macOS from Intune Shell Script Samples - Company Portal. Follow instructions to deploy the macOS Shell Script using macOS Shell Scripts. Set Run script as signed-in user to No (to run in the system context). Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app. After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD).

This documentation explains the legacy method for deploying and configuring Microsoft Defender for Endpoint on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices.
The blog post MEM simplifies deployment of Microsoft Defender for Endpoint for macOS explains the new features. To configure the app, go to Settings for Microsoft Defender for Endpoint for Mac in Microsoft InTune. To deploy the app, go to Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune.

Intune

Applies to:

This topic describes how to deploy Microsoft Defender for Endpoint for Mac through Intune. A successful deployment requires the completion of all of the following steps:

Prerequisites and system requirements

Before you get started, see the main Microsoft Defender for Endpoint for Mac page for a description of prerequisites and system requirements for the current software version.

Overview

The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint for Macs, via Intune. More detailed steps are available below.

StepSample file namesBundleIdentifier
Download installation and onboarding packagesWindowsDefenderATPOnboarding__MDATP_wdav.atp.xmlcom.microsoft.wdav.atp
Approve System Extension for Microsoft Defender for EndpointMDATP_SysExt.xmlN/A
Approve Kernel Extension for Microsoft Defender for EndpointMDATP_KExt.xmlN/A
Grant full disk access to Microsoft Defender for EndpointMDATP_tcc_Catalina_or_newer.xmlcom.microsoft.wdav.tcc
Network Extension policyMDATP_NetExt.xmlN/A
Configure Microsoft AutoUpdate (MAU)MDATP_Microsoft_AutoUpdate.xmlcom.microsoft.autoupdate2
Microsoft Defender for Endpoint configuration settings
Note: If you're planning to run a third-party AV for macOS, set passiveMode to true.
MDATP_WDAV_and_exclusion_settings_Preferences.xmlcom.microsoft.wdav
Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notificationsMDATP_MDAV_Tray_and_AutoUpdate2.mobileconfigcom.microsoft.autoupdate2 or com.microsoft.wdav.tray

Download installation and onboarding packages

Download the installation and onboarding packages from Microsoft Defender Security Center:

  1. In Microsoft Defender Security Center, go to Settings > Device Management > Onboarding.

  2. Set the operating system to macOS and the deployment method to Mobile Device Management / Microsoft Intune.

  3. Select Download installation package. Save it as wdav.pkg to a local directory.

  4. Select Download onboarding package. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.

  5. Download IntuneAppUtil from https://docs.microsoft.com/intune/lob-apps-macos.

  6. From a command prompt, verify that you have the three files.

  7. Extract the contents of the .zip files:

  8. Make IntuneAppUtil an executable:

  9. Create the wdav.pkg.intunemac package from wdav.pkg:

Client device setup

You don't need any special provisioning for a Mac device beyond a standard Company Portal installation.

  1. Confirm device management.

    Select Open System Preferences, locate Management Profile on the list, and select Approve.... Your Management Profile would be displayed as Verified:

  2. Select Continue and complete the enrollment.

    You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.

  3. In Intune, open Manage > Devices > All devices. Here you can see your device among those listed:

Approve System Extensions

To approve the system extensions:

  1. In Intune, open Manage > Device configuration. Select Manage > Profiles > Create Profile.

  2. Choose a name for the profile. Change Platform=macOS to Profile type=Extensions. Select Create.

  3. In the Basics tab, give a name to this new profile.

  4. In the Configuration settings tab, add the following entries in the Allowed system extensions section:

    Bundle identifierTeam identifier
    com.microsoft.wdav.epsextUBF8T346G9
    com.microsoft.wdav.netextUBF8T346G9
  5. In the Assignments tab, assign this profile to All Users & All devices.

  6. Review and create this configuration profile.

Create System Configuration profiles

  1. In Intune, open Manage > Device configuration. Select Manage > Profiles > Create Profile.

  2. Choose a name for the profile. Change Platform=macOS to Profile type=Custom. Select Configure.

  3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.

  4. Select OK.

  5. Select Manage > Assignments. In the Include tab, select Assign to All Users & All devices.

  6. Repeat steps 1 through 5 for more profiles.

  7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.

  8. Download fulldisk.mobileconfig from our GitHub repository and save it as tcc.xml. Create another profile, give it any name and upload this file to it.

    Caution

    macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device.

    This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile.

  9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download netfilter.mobileconfig from our GitHub repository, save it as netext.xml and deploy it using the same steps as in the previous sections.

  10. To allow Microsoft Defender for Endpoint for Mac and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina), download notif.mobileconfig from our GitHub repository and import it as a custom payload.

  11. Select Manage > Assignments. In the Include tab, select Assign to All Users & All devices.

Once the Intune changes are propagated to the enrolled devices, you can see them listed under Monitor > Device status:

Publish application

  1. In Intune, open the Manage > Client apps blade. Select Apps > Add.

  2. Select App type=Other/Line-of-business app.

  3. Select file=wdav.pkg.intunemac. Select OK to upload.

  4. Select Configure and add the required information.

  5. Use macOS High Sierra 10.14 as the minimum OS.

  6. Set Ignore app version to Yes. Other settings can be any arbitrary value.

    Caution

    Setting Ignore app version to No impacts the ability of the application to receive updates through Microsoft AutoUpdate. See Deploy updates for Microsoft Defender for Endpoint for Mac for additional information about how the product is updated.

    If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Microsoft Defender for Endpoint. This could result in a non-functioning application. See Deploy updates for Microsoft Defender for Endpoint for Mac for additional information about how the product is updated. If you deployed Microsoft Defender for Endpoint with Ignore app version set to No, please change it to Yes. If Microsoft Defender for Endpoint still cannot be installed on a client device, then uninstall Microsoft Defender for Endpoint and push the updated policy.

  7. Select OK and Add.

  8. It may take a few moments to upload the package. After it's done, select the package from the list and go to Assignments and Add group.

  9. Change Assignment type to Required.

  10. Select Included Groups. Select Make this app required for all devices=Yes. Select Select group to include and add a group that contains the users you want to target. Select OK and Save.

  11. After some time the application will be published to all enrolled devices. You can see it listed in Monitor > Device, under Device install status:

Verify client device state

  1. After the configuration profiles are deployed to your devices, open System Preferences > Profiles on your Mac device.


  2. Verify that the following configuration profiles are present and installed. The Management Profile should be the Intune system profile. Wdav-config and wdav-kext are system configuration profiles that were added in Intune:

  3. You should also see the Microsoft Defender icon in the top-right corner:

Troubleshooting

Issue: No license found

Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml

Logging installation issues

For more information on how to find the automatically generated log that is created by the installer when an error occurs, see Logging installation issues.

Uninstallation

See Uninstalling for details on how to remove Microsoft Defender for Endpoint for Mac from client devices.

Citrix Workspace app is here to replace Citrix Receiver with a new UI and capabilities (primarily for Citrix Cloud customers). Here’s how to deploy it across various supported platforms in a modern management capacity with Microsoft Intune.

Windows 10

There are multiple deployment options for Workspace app on Windows via Microsoft Intune:

  • Workspace app from the Microsoft Store. This version has some feature limitations but requires the least amount of effort to deploy
  • The full Workspace app that provides the best compatibility, but doesn’t ship as a Windows Installer file and therefore requires custom solutions to deploy

Microsoft Store

Adding the Workspace app from the Microsoft Store is well documented and should take only 5 minutes to get the app from the Store, synchronise to Intune and assign the app to your users. How’s that for done and dusted? - I’m sure you’ve got better things to do than package and maintain applications.

Citrix Workspace in the Microsoft Store

The Workspace app can be assigned as available for end-users to install via the Intune Company Portal or required for automatic deployment. Once deployed, the Store will take care of updates, thus there is no further action required by the administrator.

Citrix Workspace app in the Microsoft Intune Company Portal

If you have already deployed Citrix Receiver from the Microsoft Store via Intune, it should be automatically updated to Citrix Workspace. One they key feature limitations of the Microsoft Store version is pass-through authentication, so you might need to consider alternative deployment options

PowerShell

The Workspace app installer is a single executable just it has been with Citrix Receiver. This presents a challenge to deploy Workspace app as a line-of-business application with Intune which requires Win32 applications to be packaged as a single Windows Installer file. PowerShell scripts are a simple alternative, but deploying applications via PowerShell has two key considerations:

  • PowerShell scripts can’t be applied to computer groups
  • PowerShell scripts are executed on devices only when an Azure Active Directory user is signed in to the device

Deploying this way also means that the Workspace app will be deployed regardless of user choice and of course does not support deployment via the Intune Company Portal.

Like we’ve done previously with Citrix Receiver, the Workspace app can be deployed to Windows 10 machines via Intune with PowerShell without requiring custom packaging. We need a consistent URL that will always download the latest version of Workspace app and a command line to perform a silent installation. Your command line options might differ depending on your target environment, but the example script below will download and install the Workspace app.

Once deployed, devices must then rely on auto-updates to ensure that Workspace app is kept up-to-date.

Re-package Citrix Workspace app for Windows Installer

With the right tools and a bit of effort, Citrix Workspace app can be re-packaged into a single Windows Installer file. Once you’ve packaged the app with this method you’ll need to maintain the package and update it regularly. As with the PowerShell method though, auto-updates will keep Workspace app up-to-date once deployed.

Is this approach right for you? This requires maintaining and deploying a custom package and is dependent on how the environment is managed and available skillsets. Only you can answer that for your projects or environments. A custom package isn’t ideal and I recommend using the Microsoft Store version as the default approach instead.

Citrix Workspace app extracted Windows Installer files

HDX RealTime Media Engine

The Citrix HDX RealTime Media Engine - required for optimising Skype for Business under XenApp and XenDesktop, does come as a single Windows Installer file. This makes it easy then to deploy the engine to Windows PCs as a Required line-of-business application without modification or custom packaging. This will ensure that no user interaction is required to install the engine since most users are unlikely to know what it does anyway.

Bonus: Citrix Workspace app for Chrome

If you have Google Chrome deployed in your environment and you’d like to deploy the Citrix Workspace app for Chrome, this can be achieved with a PowerShell script that will either deploy it as a preference that users must approve or as a policy that will be automatically pushed out and users will be unable to remove from Chrome.

Google provides detailed documentation on deploying Chrome extensions on Windows.

Here’s a basic script to deploy Workspace app for Chrome via PowerShell that uses the app’s Chrome Web Store identifier (haiffjcadagjlijoggckpgfnoeiflnem) to tell Chrome to install the app on next launch. This shows both approaches - deploy as a preference or enforced.

Add the script to the Intune portal and assign to a user group to deploy. Ensure the script runs in the system context because it needs to write to HKLM.

macOS

The Citrix Workspace app can be deployed as a line-of-business application with Microsoft Intune. The Workspace app download comes as an Installer package (inside an Apple Disk Image) that can be converted into suitable file format with the Microsoft Intune App Wrapping Tool, ready to deploy with Intune.

The Citrix Workspace app disk image

Convert the Installer

Instructions for converting a .pkg file to a .intunemac file are outlined in the documentation, and the basic process I have followed to convert the Citrix Workspace app installer file is:

  1. Download the Intune App Wrapping Tool for Mac executable - IntuneAppUtil - to a local folder. I’ve downloaded it to ~/bin.
  2. Mark the file as executable. In my example, I’ve done this with:
  1. Optionally copy the Install Citrix Workspace.pkg file to a local folder. You should also be able to run the converter against the copy stored in the disk image. In my example, I’ve copied the installer to ~/Projects/Intune-Apps. Rename the installer to remove spaces, so rename the file to InstallCitrixWorkspace.pkg.

Note: Removing the spaces from the installer name before converting is important, otherwise when installing the application, macOS will report the following error and the installing will fail to download and install:

  1. Convert the .pkg file into the required .intunemac format with a command similar to the following example - note that the -o switch should include a directory path only.

If successful the command line will look similar to the following screenshot:

Converting the Citrix Workspace app with IntuneAppUtil

The Workspace app installer will have been converted into a .intunemac format ready to import into the Intune portal for distributing to users.

The converted Citrix Workspace app

Distribute with Intune

With the prepared package, create a new line-of-business app in the Intune portal, select the .intunemac file and enter application information as follows:

  • Name - Citrix Workspace
  • Description - copy and paste the description from Workspace app on the Microsoft Store
  • Publisher - Citrix
  • Ignore app version - Yes
  • Category - Business or Productivity
  • Information URL - https://docs.citrix.com/en-us/citrix-workspace-app-for-mac.html
  • Privacy URL - https://www.citrix.com.au/about/legal.html
  • Logo - download the Workspace app icon in PNG format here

Once the details have been added, click OK to create the application. I initially had issues with uploading the application on Chrome on macOS. I was successful on Internet Explorer.

Adding the Citrix Workspace app as a line-of-business app in Microsoft Intune

Once the application has been created and assigned to users, it will be available for install in the Intune Company Portal. The application can also be set to required for automatic deployment.

Citrix Workspace available in the Intune Company Portal on macOS*

Just as on Windows, updates to the Citrix Workspace app can be managed with the inbuilt updater, post-deployment.

HDX RealTime Media Engine

The Citrix HDX RealTime Media Engine is also available as an installer package that can be converted and deployed the same way as Workspace itself. Citrix Workspace app is now a 64-bit macOS application and will, therefore, require a 64-bit version of the HDX RealTime Media Engine. Right now, a 64-bit HDX RealTime Media Engine is in tech preview that can be downloaded, packaged, uploaded as a line-of-business application and assigned.

iOS

As at the time of writing, Citrix Receiver is still available on the iOS App Store and we should see it updated to Citrix Workspace app soon. Adding an iOS application in Microsoft Intune is, fortunately, a simple process:

  1. Add an application and choose ‘Store app - iOS’, then search the app store
  2. Search for ‘Citrix’, ‘Citrix Receiver’ or ‘Citrix Workspace’
  3. Choose ‘Citrix Receiver’ or ‘Citrix Workspace’ depending on what is returned
  4. Save the change and Add the application
  5. Assign the application as required
Intune

The application will be available in the Intune Company Portal:

Citrix Workspace for iOS available in the Intune Company Portal

For existing deployments of Citrix Receiver, they should be updated to Citrix Workspace app automatically.

Android

Android Store app

At the time of writing, the Workspace app for Android is not available in the Google Play Store, but a tech preview is available for download as an APK. I would recommend deploying Citrix Receiver via the Google Play Store, but with access to an APK file, you can deploy Android applications directly to enrolled devices as a line-of-business application with Intune.

The process for deploying Citrix Workspace app or Citrix Receiver on Android follows the standard Android store app deployment steps:

  1. Add an application and choose ‘Store app - Android’, then search the app store
  2. Name - ‘Citrix Workspace’ or ‘Citrix Receiver’
  3. Description - copy and paste the description from Workspace app on the Microsoft Store
  4. Publisher - Citrix
  5. Appstore URL - https://play.google.com/store/apps/details?id=com.citrix.Receiver
  6. Minimum operating system - Android 4.4 (Kitkat)
  7. Category - Business or Productivity
  8. Privacy URL - https://www.citrix.com.au/about/legal.html
  9. Logo - download the Workspace app icon in PNG format here

Assign the application and it will be available to users in the Intune Company Portal.

Android Work Profile app

Intune Company Portal Download Macos

In the future, it’s more likely that organisations will leverage the Android enterprise capabilities, previously known as Android for Work. This also simplifies Android app deployment with a connection between Microsoft Intune and the Google Play store. Once configured, browse the Google Play store, approve a list of desired apps and these will then appear for assignment in the Mobile Apps node in Intune.

Intune Company Portal Download Mac Download

Here’s Citrix Receiver in the Google Play store.

Approving Citrix Receiver in the Google Play store*

Once approved, you must choose how new permissions will be approved:

  • Keep approved when app requests new permissions - Users will be able to install the updated app. (Default)
  • Revoke app approval when this app requests new permissions - App will be removed from the store until it is reapproved.

You can approve and deploy Citrix Receiver today, which should be automatically updated to Citrix Workspace app once it is released.

Wrap-up

In this article, I’ve covered the high-level steps required for deployment of the Citrix Workspace app across the various major platforms supported by Microsoft Intune. Mobile platforms, including the Microsoft Store on Windows 10, will require the least amount of administrative effort to configure, deploy and update. For most organisations supporting Windows as their primary platform, even with Microsoft Intune, the choice of deployment solution will depend on Workpace app feature requirements.





Comments are closed.