Understanding the problem

I mentioned that during enrollments of Macs with macOS 14.x the installation for applications is stopping without any obvious reason.

Confused

I started analysing what could be the problem and found an interesting workaround for this behaviour. The apps in question include a variety of types supported by Intune:

  • Volume Purchasing Program (VPP) apps: These are apps purchased in bulk from the App Store.
  • DMG Installers: Standalone installations via diskimages for macOS.
  • PKG Installers: Installation packages for distributing software on macOS.
  • Shell scripts: Used for specific installations, like the Company Portal.

Intune, a Microsoft service used for device management, encounters a particular challenge with macOS: it does not prioritize or order app installations, nor does it handle dependencies. This lack of structured installation order can result in my experience to unpredictable and inconsistent app deployment.

Reproducing the issue

For example, I identified specific scenarios that halt the installation process:

  1. Network switching: Changing from an ’enrollment WiFi’ to a managed WiFi profile.
  2. System Extension Installations: Installing a PKG that includes a network system extension, especially when combined with allowing explicit system extension policies.
  3. VPN Connection: Initiating a VPN connection before the completion of all app installations.

Each of these scenarios can disrupt the installation process, often seen during the device enrollment phase.

User experience

When these interruptions occur, app installations simply stop, leaving users without a clear resolution. This issue can be particularly challenging as it can happen at multiple stages:

  1. During a WiFi switch.
  2. While installing any network system extensions (in my tests in total three).
  3. At the initiation of a VPN connection.

Unfortunately, even if Microsoft’s Company Portal is installed, syncing the device doesn’t rectify this issue. A device reboot can temporarily restart the installations, but they may halt again upon encountering the same interruptions.

Wait? What?!?!?

Developing a workaround

Analyzing the IntuneMDMDaemon.log file revealed key insights. For instance, an error in the log for Microsoft Edge showed an issue with downloading the app binary file. This suggests that the IntuneMDMDaemon struggles to download the necessary packages, leading to halted installations without any retry mechanism.

2024-01-25 07:10:01:920 | IntuneMDM-Daemon | I | 13242 | AppInstallManager+Logging | Error downloading app binary file. PolicyID: 37432470-3dcd-4835-ba9a-df66c4102601, AppName: Microsoft Edge, ExitCode: -2016214735, ErrorDetails: Cannot download app binary file.,ComplianceState: Error, EnforcementState: Error

The Script Solution

To circumvent this, I developed a shell script that:

  • Checks the status of required apps.
  • Restarts the IntuneMDMDaemon process if an app is found installed or - if the initial VPN connection was successful. Currently, the script does not address WiFi changes, but this may be incorporated later if necessary.

Workaround Challenges

An interesting observation was that restarting the IntuneMDMDaemon inadvertently triggers the shell script again. To prevent repetitive executions, I incorporated a check to determine if the script had already been initiated but not all apps were installed.

Future Plans

I am in the process of refining this script for public use and plan to share it on GitHub. This will allow others facing similar issues to test and adapt the script for their specific needs. Nevertheless, I thought publishing this findings maybe help others with their enrollment/app installation issues, even before publishing the script. Please see update #2.

In any case this should not be the way to go in any productive environment.

Vendors involved

Currently I have an open ticket at the Microsoft Intune support as well as a sibling ticket at Apple Care Enterprise. Currently, the MS ticket is analysed and hopefully the root cause of this can be found. I will update the post with new information from both cases.

Update #1 - 2024-01-31 08:10 CET

Intune Product Group confirmed that the implementation of IntuneMDMDaemon/Sidecar in Company Portal for macOS is not handling the installation of systemextensions gracefully. They are now aware and working on a fix in an upcoming Company Portal for macOS release. I emphasised that it would be good to check the two other problems (WiFi change during downloads and connecting to a VPN during downloads) and address them as well in the upcoming update if possible.

Update #2 - 2024-02-05 07:20 CET

I published my workaround bash script on my GitHub account. Maybe you wanna check it out and I would be happy to get feedback if something can be done more elegant or if I did any major error in it.

Update #3 - 2024-04-09 22:10 CEST

Two days ago the IntuneMDMAgent version 2404.005 was released by Microsoft (more information how to check for the version here: Update #3) This new version introduced a new mechanism of retrying app binary downloads. Currently, this has three attempts of downloading the binary. This significantly improved the enrollment flow and might work a lot better for some Intune macOS admins. This is a great achievment. Sadly, it does not fully solve my issue with the more than three interuption we face during our enrollents. I will create reproductions of my issue and report this to Microsoft.