In this post, I will show you how to run shell scripts on macOS devices in Intune. You can use shell scripts on macOS devices to extend device management capabilities in Intune.
We all know that you can deploy PowerShell scripts on Windows devices using Intune. Running a shell script on a macOS device is a game changer, since these scripts allow you to make complicated changes to your macOS devices. If you have numerous Mac devices in your setup, you may use Intune to mass distribute configuration updates to these devices.
When you create and assign a shell script policy to a macOS devices, it is run as a distinct process, and the run status is provided back to Intune, enabling administrators to monitor execution success or error codes. When you set the scripts to run at regular intervals, the scripts are saved locally to save download time.
Note: Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script in Endpoint Manager. Also see how to manage software updates on macOS using Intune.
The following prerequisites are required to run shell scripts on macOS devices using Intune:
- The macOS devices must be running version 11.0 or later.
- You must enroll macOS devices in Intune before you run shell scripts.
- The macOS devices must be connected directly to the Internet. Connection through a proxy is not supported.
- You must have a script ready to apply it to macOS devices.
- Shell scripts begin with #! and must be in a valid location such as #!/bin/sh or #!/usr/bin/env zsh.
- Command-line interpreters for the applicable shells are installed.
Considerations for using macOS Shell Scripts with Intune
Listed below are important considerations provided by Microsoft before using shell scripts on macOS devices using Intune:
- Shell scripts require that the Microsoft Intune management agent is successfully installed on the macOS device. If you have enrolled the macOS devices into Intune, you don’t have to worry about this.
- Shell scripts deployed via Intune run in parallel on devices as separate processes.
- Shell scripts that are run as the signed-in user will run for all currently signed-in user accounts on the device at the time of the run.
- An end user is required to sign in to the device to execute scripts running as a signed-in user.
- Root user privileges are required if the script requires making changes that a standard user account cannot.
- Shell scripts will attempt to run more frequently than the chosen script frequency for certain conditions. For example, if the disk is full, if the storage location is tampered with, if the local cache is deleted, or if the Mac device restarts.
- The shell scripts that are running for longer than 60 minutes are stopped and reported as “failed“.
Get the Shell Script Ready for macOS
As mentioned earlier, you must have the shell script ready so that you can run it on your macOS devices. I will be deploying a sample macOS shell script that will enable remote management on Mac.
For beginners, the Remote Management in Mac lets remote users manage the device using Apple Remote Desktop. It permits those users who have predefined access to the device to manage the system, interact with users, configure preferences, deploy files, etc. Mac users can manage (turn on/off) the remote management from the System Preferences (System Settings> General > Sharing > Remote Management).
The below script activates the remote management on your macOS devices. Open the notepad application, copy the below code to a file and save it with filename.sh (An SH file is a script that can be run with the Bash Unix shell). You’ll need to upload this file to Intune in the next step.
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate
Note: Before you create and assign a shell script policy in Intune, it must be tested for functionality. Execute it manually on a Mac device to validate the script works.
Run Shell Scripts on macOS devices in Intune
Let’s go through the steps to run shell scripts on macOS devices in Intune. Use the following steps to create and assign a shell script policy to macOS devices in Intune.
- Sign in to Microsoft Intune Admin Center.
- Navigate to Devices > macOS and select Shell Scripts.
- Click the Add button to create a Shell Script for macOS.
Enter a name for the profile in the Basics tab of the Add Script pane. Add a brief description about the policy.
For instance, you can enter the following information for macOS Shell script:
Name: Enable Remote Management on macOS Devices
Description: Remote Management in Mac lets remote users manage the device with the help of Apple Remote Desktop.
On the Script Settings tab, you must upload the script. Click on the Browse icon and select the shell script. The macOS shell script file must be less than 200 KB in size. You can view the script that has been uploaded, but you cannot edit or modify the script at this time.
Scroll down a bit, and here you’ll find a few important settings that can be configured for your macOS script execution.
- Run script as signed-in user: Select Yes to run the script with the user’s credentials on the device. Choose No (default) to run the script as the root user. By default, the script is run as the root user. The root user can make system changes that a standard user account can’t.
- Hide script notifications on devices: By default, script notifications are shown for each script that is run. End users see an IT is configuring your computer notification from Intune on macOS devices. When not configured, these messages are shown in Notification Center.
- Script frequency: Select how often the script is to be run on macOS devices. Select Not configured (default) to run a script only once.
- Max number of times to retry if script fails: Select how many times the script should be run if it returns a non-zero exit code (zero meaning success). Select Not configured (default) to not retry when a script fails.
On the Assignments tab, you select the Azure groups to deploy the shell script. Select one or more user or device groups to whom you want to assign the script. The groups you select are shown in the list, and will receive your script policy. Click Next.
In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the script policy is deployed to the macOS device/user groups you chose.
The macOS Shell script you created now appears in the list of scripts. If needed, you can select and view the contents of macOS shell scripts after you upload them to Intune.
You must wait for the shell script policy to apply to the targeted groups, and once the devices check-in with the Intune service, they will receive the script. You can also run Check Status in company portal on your Mac devices to retrieve the latest policies from Intune.
Monitor macOS Shell Script Policy in Intune
You can monitor the run status of all assigned macOS scripts for users and devices by choosing one of the following reports in Intune:
- Shell Scripts > select the script to monitor > Device status.
- Shell Scripts > select the script to monitor > User status.
In the screenshot below, we see the script policy has been executed successfully on the macOS device. On the Mac device, the remote management was enabled via the deployed script.
MacOS Script Status in Intune
On some macOS devices, running a script policy may succeed, but it may also fail on other devices. Understanding the state of script policy is necessary to debug macOS shell script policies. When a script completes execution on a macOS device, one of the following statuses is returned.
|macOS Script Status
|Indicates that the script returned zero as the exit code.
|Indicates that the script returned a non-zero exit code or the script is malformed.
|In the unlikely event that a script is received on the device and the device goes offline before the run status is reported, the device will not report run status for the script in the admin center.
3 Reasons why assigned scripts are not running on macOS devices
In rare circumstances, after creating and assigning a shell script policy to macOS devices, the associated scripts do not run. The following are some of the reasons why the assigned scripts fail to run on macOS devices:
- The agent might need to check in to receive new or updated scripts. This check-in process occurs every 8 hours and is different from the MDM check-in. Make sure that the device is awake and connected to a network for a successful agent check-in, and wait for the agent to check in. You can also request the end user to open Company Portal on the Mac, select the device and click Check settings.
- The Intune agent may not be installed on the macOS. Check that the agent is installed at /Library/Intune/Microsoft Intune Agent.app on the macOS device.
- The agent may not be in a healthy state. The agent will attempt to recover for 24 hours, remove itself and reinstall if shell scripts are still assigned.