Guide for Apple IT: App Deployment for macOS
Distributing and managing apps is one of a Mac admin’s core responsibilities. Apple makes this relatively easy for some apps, thanks to Apple Business Manager's Apps and Books feature. Unfortunately, not every business app an admin might want to make available to users is available that way. In this guide, we’ll provide an overview of how to distribute Mac software—with or without Apple Business Manager.
App Store Apps
Back in the day, admins relied on Apple’s Volume Purchase Program (VPP) to distribute apps from the App Store to users. Before VPP, employees with company-owned Apple devices had to use their personal Apple accounts to purchase apps, and then get reimbursed. This was more than just a hassle. Because employees purchased the apps with their own accounts, they owned the app licenses—not the company.
With VPP, purchasing shifted to the organization—first in the form of redemption codes that employees could use to purchase apps, later in the form of licenses owned by companies and assigned to devices or users; if an employee no longer needed the app, the license could easily be reassigned.
Then, in 2019, Apple announced that VPP was going away. The company merged VPP and what was then known as the Device Enrollment Program (DEP, now known as Automated Device Enrollment) into Apple Business Manager. App Store apps could then be purchased through Apple Business Manager.
Purchasing App Store Apps
To purchase apps, you start by signing in to Apple Business Manager as either an Administrator or Content Manager. (For more on those and other roles in Apple Business Manager, see our guide.) You then click Apps and Books in the sidebar, search for the app you need, assign it to a location, enter the number of licenses you want, and (in the case of paid apps) buy. (For more details, see Apple’s support article.)
One detail worth noting: Officially, Apple says that if you buy fewer than 5,000 licenses then the app will be available immediately; above that, the company says, there will be delays. In practice, however, that 5,000 is not always a hard and fast rule. Just don’t be surprised if you have to wait for larger quantities.
Deploying App Store Apps
Once App Store app licenses are purchased and available, you use your Apple device management solution to deploy them to end-user devices. How this works varies depending on which solution you're using. (This, of course, assumes that you’ve integrated that solution into your instance of Apple Business Manager. For a general overview of that process, see our guide here; for more details, see Apple’s support article.)
In Kandji, for example, once you’ve integrated your Kandji account with Apple Business Manager, your Apple Business Manager apps will automatically appear in the App Store Apps section of your Kandji library. You can then assign those apps to specific Blueprints; any enrolled devices assigned to those Blueprints will get those apps on their next check-in. In the Kandji web app, you can also see how many licenses for a given app you’ve already used and which Apple operating systems that app is compatible with. (For those details, see our support article.)
With macOS Big Sur, Apple introduced managed apps to the Mac. (They’d already been available on iOS and iPadOS for some time.) Such apps can be installed on an enrolled device via MDM. If you then reassign the license or if the device is unenrolled, your device management solution will actually remove the app. That doesn’t happen with other installation methods.
One detail we should clarify: Apple enables you to distribute apps that you’ve independently commissioned from developers through Apple Business Manager; it calls such software Custom Apps. But Kandji also has a feature of its own called Custom Apps (along with Custom Scripts and Custom Printers) which we’ll explain below. Apple and Kandji mean two different things by that one phrase.
While we’re on the subject of Apple’s Custom Apps, we should point out that the company also supports something it calls Unlisted Apps in the App Store. These apps are available in the App Store but are not intended for public distribution. They’re discoverable only via a direct link; they don’t appear in App Store categories or search results.
Non-App Store Apps
Of course, Apple Business Manager doesn’t offer a Mac version of every business app your organization might require. Among the more popular titles not currently available in the Mac App Store: business standards such as Google Chrome, Slack, Adobe Creative Cloud, and Zoom; there are many others. Such non-Store apps pose several challenges for IT administrators.
First of all, they’re harder to deploy because they aren’t in Apple Business Manager. Instead, admins must download the installation assets for the app (a PKG, DMG, or ZIP file, for example), making sure they have the correct architecture-specific versions (Intel or Apple silicon). They then have to distribute those assets, by device management solution or some other means.
The architecture question is a pesky one. Even now, many developers are not distributing universal installers that can detect the platform and install the correct binaries. So if you’re installing new apps at scale, you need to contend with matching the right installer to each Mac. (Rosetta 2 can still come in handy here.)
You also have to consider security. While Apple strictly vets App Store apps to be sure they’re safe to use, third-party apps don’t have that same stamp of approval.
It’s true that Apple has introduced several technologies over the years to make downloading third-party Mac apps safer. For example, there’s app notarization, which lets developers submit software to Apple to be scanned for malicious content and code-signing issues. (This is not the same as the app review that Apple applies to software admitted to the App Store.)
If the scan finds no issues, the notary service generates a ticket that can be attached to the app. That ticket, in turn, is used by the macOS Gatekeeper system to confirm that Apple has notarized the software. By default, macOS Catalina and later requires all apps to be notarized and users to provide approval before the app will launch.
However, those screening systems become largely moot when you’re distributing apps with a device management solution. In that case, the OS skips those checks—which means you really need to test third-party apps yourself before distributing them.
You could do so by simply installing and launching the app on a test Mac. That would confirm whether or not the app will trigger the Gatekeeper popup for users.
Alternatively, you can check whether an app or PKG will trigger Gatekeeper by running this command in Terminal (replacing testpackage.pkg with the name of the package you want to test):
If that command returns com.apple.quarantine, users will see the prompt. You can clear that flag by running the command:
/usr/bin/xattr -d com.apple.quarantine testpackage.pkg
Two tools—Suspicious Package and Apparency—can help you validate the security of packages and apps. Both are free and both show whether a package is signed, whether the app is signed or notarized, and more.
Deploying Non-App Store Apps
However you purchase and vet non-App Store apps, deploying them to users will depend entirely on your device management solution. Kandji, for example, offers a couple of different distribution channels.
Custom apps: As noted above, Kandji and Apple both have features called Custom Apps; they are not at all the same thing. In Kandji, a custom app is one that isn’t from the App Store; instead, you upload an installer package (.pkg or .mpkg), disk image, or ZIP file, then add it to a Blueprint. Thereafter any device enrolled in that Blueprint will get it.
In Kandji you can configure how often the app should be installed (once per device or via “install and enforce,” which checks to be sure the app is installed and will reinstall it if not). You can also add scripts to be run before or after the installation, for more control over the installation process.
Auto Apps: Kandji’s Auto Apps is a collection of popular business apps that are not available in the App Store, which can be configured to automatically download to user devices; they’re then automatically updated as new versions come out. (Such patch management is another topic for another time.) Additionally, Kandji can enforce updates for these applications, as well as manage notifications, Privacy Preferences Policy Control (PPPC) settings, and kernel extensions. The Auto Apps catalog currently stands at 50+ and is growing all the time.
Self Service: Finally, there’s Self Service. You can make any kind of app—App Store, Auto, or custom—available to users to install as they wish, using the Kandji Agent. (You can make custom scripts and printers available the same way.) Self Service installs automatically on all enrolled Mac computers, and admins can customize the apps available from it.
It’s important to remember that, no matter how simple you make it for users to get the apps they want and need—either by installing those apps yourself remotely or through a tool like Kandji’s Self Service—they may still download and install software themselves, either from the App Store or directly from developers.
You could use a device management solution to block unapproved apps, if that fits your overall IT philosophy. Education and communication could be effective alternatives. If users really must download software themselves, at least nudge them in the direction of the App Store. Then, at least, you know the apps have been vetted and approved by Apple and nothing too horrible will happen to the devices you’re managing.
Kandji makes Apple app deployment in your organization a breeze. Our device management solution gives you complete visibility into the apps installed on your company’s devices, and it lets you deploy third-party apps in just a few clicks. From deployment to retirement, Kandji keeps your Apple devices safe, offering great features like pre-built security settings, one-click compliance, zero-touch deployment, and plenty more. It’s time to manage your devices like your business depends on it.
This post was substantially updated on March 17, 2022.
Start your free trial today
The industry's first MDM with a pre-built library of security controls.Request Access