In this post, I will show you how to deploy macOS shell scripts using Intune. On macOS devices, the shell scripts enable you to effectively and expand the device management features in Intune.
We all know that you can efficiently deploy PowerShell scripts on Windows devices using Intune. Running a shell script on a macOS device is a game changer, since these scripts allow you to make complicated changes to your macOS devices. If you have numerous Mac devices in your setup, you may use Intune to mass distribute configuration updates to these devices.
When you create and assign a shell script policy to a macOS devices, it is run as a distinct process, and the run status is provided back to Intune, enabling administrators to monitor execution success or error codes. When you set the scripts to run at regular intervals, the scripts are saved locally to save download time.
Prerequisites
The following prerequisites are required to deploy shell scripts on macOS devices using Intune:
- The macOS devices must be running version 12.0 or later.
- You must enroll macOS devices in Intune before you run shell scripts.
- The macOS devices must be connected directly to the Internet. Connection through a proxy is not supported.
- You must have a working script ready to apply it to macOS devices.
- Shell scripts begin with #! and must be in a valid location such as #!/bin/sh or #!/usr/bin/env zsh.
- Command-line interpreters for the applicable shells are installed.
- The script file must be less than 1 MB in size.
Note: Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script in Endpoint Manager. Also see how to manage software updates on macOS using Intune.
Considerations for using macOS Shell Scripts with Intune
Listed below are important considerations provided by Microsoft before using shell scripts on macOS devices using Intune:
- Shell scripts require that the Microsoft Intune management agent is successfully installed on the macOS device. If you have enrolled the macOS devices into Intune, you don’t have to worry about this.
- Shell scripts deployed via Intune run in parallel on devices as separate processes.
- Shell scripts that are run as the signed-in user will run for all currently signed-in user accounts on the device at the time of the run.
- An end user is required to sign in to the device to execute scripts running as a signed-in user.
- Root user privileges are required if the script requires making changes that a standard user account cannot.
- Shell scripts will attempt to run more frequently than the chosen script frequency for certain conditions. For example, if the disk is full, if the storage location is tampered with, if the local cache is deleted, or if the Mac device restarts.
- The shell scripts that are running for longer than 60 minutes are stopped and reported as “failed“.
Prepare macOS Shell Script
Before assigning a shell script policy in Intune, ensure it is tested for functionality. Manually execute the script on a Mac device to confirm it operates correctly.
In this post, I will demonstrate the deployment of a sample shell script that will enable remote management on Mac. Mac users can manually turn on/off the remote management from the System Preferences (System Settings> General > Sharing > Remote Management. The same functionality can be achieved with a shell script.
The below script activates the remote management on your macOS devices. Open the notepad application, copy the below code to a file and save it with macoshellscript.sh (An SH file is a script that can be run with the Bash Unix shell). You’ll need to upload this file to Intune in the next step.
#!/bin/sh
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activateDeploy macOS Shell Scripts using Intune
Let’s go through the steps to run shell scripts on macOS devices in Intune.
Step 1: Create a shell script policy
Use the following steps to create a new shell script policy in Intune.
- Sign in to Microsoft Intune Admin Center.
- Navigate to Devices > macOS > Scripts.
- Click on the + Add option to create a Shell Script for macOS.
Enter a name and description for the shell script. Click Next.
Step 2: Upload and Configure Shell Script
On the Script Settings tab, click on the Browse icon and upload the shell script. The script file must be less than 1 MB in size. You can view the script that has been uploaded, but you cannot edit or modify the script at this time.
Scroll down a bit, and here you’ll find a few important settings that can be configured for your macOS script execution.
- Run script as signed-in user: Select Yes to run the script with the user’s credentials on the device. Choose No (default) to run the script as the root user. By default, the script is run as the root user. The root user can make system changes that a standard user account can’t.
- Hide script notifications on devices: By default, script notifications are shown for each script that is run. End users see an IT is configuring your computer notification from Intune on macOS devices. When not configured, these messages are shown in Notification Center.
- Script frequency: Select how often the script is to be run on macOS devices. Select Not configured (default) to run a script only once.
- Max number of times to retry if script fails: Select how many times the script should be run if it returns a non-zero exit code (zero meaning success). Select Not configured (default) to not retry when a script fails.
Step 3: Assign the Shell Script Policy
On the Assignments tab, select one or more Microsoft Entra user or device groups that are to receive the script. Choose Select. The groups you select are shown in the list, and will receive your script policy. Click Next.
In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the script policy is deployed to the macOS device/user groups you selected.
The macOS Shell script you created now appears in the list of scripts. If needed, you can select and view the contents of macOS shell scripts after you upload them to Intune.
Step 4: Sync policies
You must wait for the shell script policy to apply to the targeted groups, and once the devices check-in with the Intune service, they will receive the script. To retrieve the latest policies from Intune at the earliest, you can manually sync the policies on macOS devices.
Step 5: Monitor macOS Shell Script Policy in Intune
You can monitor the run status of all assigned macOS scripts for users and devices by choosing one of the following reports in Intune:
- Scripts > select the script to monitor > Device status.
- Scripts > select the script to monitor > User status.
In the screenshot below, we see the script policy has been executed successfully on the macOS device. On the Mac device, the remote management was enabled via the deployed script. This confirms you can efficiently deploy a shell script on remote Mac devices
MacOS Script Status and Descriptions
On certain Mac devices, a script policy might execute successfully, while on others, it could fail. To effectively troubleshoot macOS shell script policies, it is essential to understand their execution status. Once a script finishes running on a macOS device, it returns one of the following statuses.
| Shell Script Status | Description |
|---|---|
| Success | Indicates that the script returned zero as the exit code. |
| Failed | Indicates that the script returned a non-zero exit code or the script is malformed. |
| No Status | In the unlikely event that a script is received on the device and the device goes offline before the run status is reported, the device will not report run status for the script in the admin center. |
Troubleshoot macOS shell script policies using log collection
If the shell scripts fail to deploy on Mac devices, you can collect device logs to help troubleshoot script issues. Here is a useful guide that shows how to collect Intune logs on managed macOS devices.
3 Reasons why shell scripts failed to deploy
In rare circumstances, after creating and assigning a shell script policy to macOS devices, the associated scripts do not run. The following are some reasons why the assigned scripts fail to run on macOS devices:
- The agent might need to check in to receive new or updated scripts. This check-in process occurs every 8 hours and is different from the MDM check-in. Make sure that the device is awake and connected to a network for a successful agent check-in, and wait for the agent to check in. You can also request the end user to open Company Portal on the Mac, select the device and click Check settings.
- The Intune agent may not be installed on the macOS. Check that the agent is installed at /Library/Intune/Microsoft Intune Agent.app on the macOS device.
- The agent may not be in a healthy state. The agent will attempt to recover for 24 hours, remove itself and reinstall if shell scripts are still assigned.
Further Reading
Consider reading the following guides related to Mac management with Microsoft Intune:
- Create Custom Attributes for macOS using Intune
- Enable Stealth Mode on macOS using Intune
- How to Configure macOS Firewall with Intune
- Use FileVault disk encryption for macOS with Intune
- Rotate FileVault recovery keys for macOS in Intune
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.
