]

Solution

  • Workspace ONE

Type

  • Document

Level

  • Advanced

Category

  • Operational Tutorial

Product

  • Workspace ONE UEM

OS/Platform

  • macOS

Phase

  • Deploy

Use-Case

  • App & Access Management
  • Business Continuity
  • Office365

Deploying a Third-Party macOS App: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.3

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you learn how to deploy applications to macOS and enable the unified application catalog in Intelligent Hub.  

Deploying Store vs Non-Store macOS Apps

Workspace ONE UEM supports delivering macOS apps that originate from both the Mac App Store and outside the store.

You can use Workspace ONE UEM to deliver a macOS application using any of the following software delivery methods:

  • Apple Business Manager or Apple School Manager — Delivers macOS App Store applications to devices as volume-licensed, purchased applications.
  • Software Distribution — Delivers non-store applications as internal apps in Workspace ONE UEM 9.3 and later. We cover the procedure to deliver a non-store macOS application as an internal app in this exercise.   

The type of macOS app being delivered determines the appropriate delivery method. The following table lists different types of software and their recommended delivery method.  


macOS App Store Applications Non macOS App Store Applications
Delivery Method Apple Business Manager Software Distribution
Examples
  • xCode 
  • Slack 
  • Microsoft Office for macOS
  • Microsoft Remote Desktop
  • Apple's iWork suite
  • TextWrangler
  • F5 Access (VPN)
  • iBooks Author
  • Microsoft OneDrive
  • Microsoft OneNote
  • Quickbooks
  • VMware Tunnel

  • Adobe Creative Suite
  • Microsoft Office (Legacy Versions or Insiders)
  • BlueJeans
  • Camtasia
  • Audacity 
  • Shell scripts, Python scripts

Supported Capabilities
  • Automatic Updates
  • Automatic Metadata Refresh
  • User or Device Licensing
  • Terms Of Use Management
  • Automatic or On-Demand (Catalog-Requested) Installation
  • NSUserDefaults and CFPreferences Configuration via Custom Settings
  • Version Management and Beta Testing
  • Pre/Post [Un]Install Scripting
  • End-User Blocking App Messaging
  • Terms Of Use Management
  • Restart Management
  • Automatic or On-Demand (Catalog-Requested) Installation
  • NSUserDefaults and CFPreferences Configuration via Custom Settings

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. 

  • Apple device running macOS version 10.13.0 (High Sierra) or later
  • VMware Workspace ONE Intelligent Hub for macOS version 3.0 or later
  • Workspace ONE UEM version 9.3 or later

For more information, see VMware Workspace ONE Access Documentation and VMware Workspace ONE UEM Documentation.

Note: Support for macOS 10.12.x (Sierra) ended with VMware Intelligent Hub version 20.05. Version 20.06 and later requires macOS 10.13.x (High Sierra) and later. See the VMware knowledge base (KB) article: VMware Workspace ONE Intelligent Hub for macOS to end support for OS versions below macOS 10.13 High Sierra.

Deploying Volume-Purchased macOS Apps

Adding Location Token to Workspace ONE UEM

An Apple Business Manager (or Apple School Manager) location is a container that ties a set of books and apps to one or more content managers. Each location has a token that can be uploaded to Workspace ONE to allow App and Book management within the Workspace ONE UEM organization group. The token provides the credentials by which Workspace ONE authenticates to Apple Business Manager to sync assets and manage license assignment.

1. Download Token from Apple Business Manager

App and Books in Apple Business Manager

Within Apple Business Manager (or Apple School Manager):

  1. Click Settings.
  2. Click Apps and Books.
  3. Click Download for the Server Token next to your Location.
  4. For macOS Catalina, click Allow to allow the download from Apple Business Manager.

2. Select VPP Managed Distribution

In Workspace ONE UEM:

  1. Click Groups & Settings.
  2. Click Configurations.
  3. Scroll down through the list of Configurations.
  4. Select VPP Managed Distribution.

3. Upload Location Token

  1. Ensure the Current Setting is set to Override.
  2. Enter a friendly name for the Location.
  3. Click Upload.
  4. In the dialog box, click Choose File. Browse to and select the vpptoken file downloaded in Download Token from Apple Business Manager and select Choose.
  5. Click Save.
  6. Click Save.

4. Cancel Warning About License Usage in Other Environments

If you unexpectedly receive a message about the sToken being used in another environment, click Cancel. An Apple Business Manager (or Apple School Manager) location can be managed by only one (1) MDM or UEM system at a time. You should resolve the reason for this message before attempting to upload the Token. Alternatively, create a new location in Apple Business Manager.

Note: Instead of uploading the same Token in both your Testing and Production Workspace ONE UEM instance, you should create a second location in Apple Business Manager. Within Apple Business Manager, you can allocate unused licenses between locations allowing you to purchase additional licenses (or move a subset) into your second Location for testing.

For questions regarding Apple Business Manager, refer to Apple Support.

Syncing Volume Purchase Licenses

By default, Workspace ONE syncs managed distribution licenses for custom apps and volume-licensed public apps daily. The sync is scheduled automatically, allowing Workspace ONE to reconcile newly purchased licenses and updated metadata (descriptions and images). When you upload a location token, you can speed up this process by manually initiating a license sync.

Sync Licenses from Apple Business Manager

Custom Apps in Workspace ONE UEM

In the Workspace ONE console:

  1. Click Apps & Books.
  2. Click Native.
  3. Click Purchased.
  4. Click Sync Assets.

Tip: For license and metadata sync to work for on-premises Workspace ONE customers, admins must allow access to *.itunes.apple.com over TCP port 80 and 443. Refer to Use Apple Products on Enterprise Networks for the full list of hosts and ports required to manage and use Apple products on enterprise networks.

Bulk-Enabling Device-Based Licensing

Managed distribution licenses can be assigned on a per-user, or per-device basis. For the per-user licensing model, the end-user of the device is prompted to enter their Apple ID credentials into the device to assign the license. In other words, per-user license distribution requires that all users have an Apple ID. In the per-device licensing model, managed distribution licenses are assigned directly to the device regardless of whether the user has entered Apple ID information. The end-user is not required to have an Apple ID in order for the app to be assigned to the device and installed from the App Store.

For more information, refer to Managed Distribution by Device Serial Number.

Note: If a device is supervised, the user does not get prompted to participate in volume-purchased app management.

Warning: If you convert an application to device-based licensing, you cannot revert it back to user-based licensing.

Bulk-Enable Device-Based Licensing

Custom Apps in Workspace ONE UEM

In the Workspace ONE UEM Console:

  1. Click Apps & Books.
  2. Click Native.
  3. Select Purchased.
  4. Select one or more Public and/or Custom Apps.
  5. Click Enable Device Assignment.
  6. Click Ok to enable device-based licensing for the selected apps.

Assigning Volume-Purchased Apps to Devices

In this activity, you select the volume-purchased apps you want to assign to your devices and configure distribution for that assignment.

1. Browse to Purchased App

In the Workspace ONE UEM admin console:

  1. Click Apps & Books.
  2. Click Native.
  3. Click Purchased.
  4. Optionally, click Filters, expand Platform and select Apple macOS to constrain the list to ONLY macOS apps.
  5. Select the Volume-Licensed App you want to assign (Tunnel - Workspace ONE in this example).

2. Configure Categories

  1. Click Details.
  2. Click to select one or more categories.

3. Optionally Select Terms of Use

  1. Select Terms of Use.
  2. Select an Application Terms of Use if one has been created.

4. Save & Assign

Click Save & Assign.

5. Add Assignment

Click Add Assignment.

6. Configure Distribution

  1. Enter a name for the Distribution. For example, All Devices.
  2. Enter a name of an assignment group to allocate licenses.
  3. Enter the number of licenses to allocate to the Assignment group.
  4. If required, click Add and repeat steps 2 and 3 to allocate licenses to another assignment group.
  5. Select Auto to deliver the app automatically or On Demand (to deliver the app when requested by the user from the catalog).
  6. Click Create.

7. Prioritize Assignments

  1. If necessary, click Add Assignment to add another assignment for the app.
  2. Click to modify the priority of the assignment. This helps determine how the app is assigned if a device has membership to multiple assignments.
  3. Click Save.

8. Publish Assignments

Click Publish.

Troubleshooting Volume-Purchased App Installs

Volume Purchase App Troubleshooting

As organizations deliver volume-purchased apps from Apple Business Manager, some unexpected issues may arise. This article addresses some common issues affecting volume purchased app delivery.

1. Newly Purchased Apps Not Syncing to Workspace ONE UEM

This error is typically the result of one of the following issues:

  • Delays in Apple Business Manager from when you purchase the app to when the licenses are allocated to the Location Token.
  • Apple has released new Terms & Conditions in Apple Business Manager. 
    • To resume syncing, log-in to Apple Business Manager with an account granted the Administrator role, and accept the updated Terms & Conditions.
  • The location token downloaded from Apple Business Manager and uploaded to Workspace ONE UEM has expired. 
    • Download a new server token from Apple Business Manager (under Settings > Apps & Books) and upload it to Workspace ONE UEM.

2. Device-Based Licensed Apps Not Installing

If you have assigned an app to a device using device-based assignment, one of the following could be an issue:

  • If the user is getting a prompt to log-in with an Apple ID, there is most likely an assignment that was made to the user BEFORE the device-based assignment was created. 
    • Unassign the app from the user completely before you can attempt to reassign the app to the device.
  • Ensure an adequate number of licenses are available to assign to the device.
  • Ensure the device has access to vpp.itunes.apple.com.
  • The location token downloaded from Apple Business Manager and uploaded to Workspace ONE UEM has expired. 
    • Download a new server token from Apple Business Manager (under Settings > Apps & Books) and upload it to Workspace ONE UEM.

3. Volume-Purchased Apps Not Removing from macOS

When a VPP app for macOS is no longer scoped to the device or user, or the device is enterprise wiped, the app is not removed from macOS. This is by design in macOS versions prior to macOS 11 (Big Sur), as these earlier versions of macOS did not support any commands to remove the application.

For More Information on Troubleshooting

If you are still experiencing issues with Volume Purchased applications, refer to the Volume Purchase Program (VPP) Troubleshooting Guide or contact VMware support directly.

Deploying a Non-Store macOS App

Enabling 3rd Party macOS App Delivery

In this section, you configure file storage and macOS software management settings in the Workspace ONE UEM console. These settings enable 3rd party macOS app delivery.

1. Access All Settings

All Settings in WS1 UEM console

Log in to the Workspace ONE UEM Console as an administrator and view the Global Organization Group:

  1. Click Groups & Settings.
  2. Click All Settings.

2. Enable File Storage (On-Premises Only)

If your Workspace ONE UEM instance is SaaS-based, you can skip this procedure as it is already done on your behalf by VMware.

  1. Ensure you are at the Global Organization Group unless your particular setup requires configuring at child Organization Groups.  
  2. Expand Installation.
  3. Select File Path.
  4. Scroll through the file paths pane and select Enabled for File Storage Enabled.
  5. Enter the path of a file share accessible from your Device Services and Console servers.
  6. Select Disabled for File Storage Caching Enabled unless you have planned and sized your Device Services server accordingly.
  7. Select Enabled for File Storage Impersonation Enabled.
  8. Enter the impersonation username credentials to access the file storage path.
  9. Enter the password for the impersonation user.
  10. Confirm the password for the impersonation user.
  11. Click Test Connection and ensure you see Connection Succeeded.
  12. Click Save.

3. Enable Software Management

In the Settings screen, perform the following steps at your top level Organization Group.

  1. Expand Devices & Users.
  2. Expand Apple.
  3. Expand Apple macOS.
  4. Select Software Management.
  5. Select Override.
  6. Select Enabled for Enable Software Management.
  7. Click Save.
  8. Ensure settings are Saved Successfully.

 

4. Optional: Enable Content Delivery Network for On-Premises

When planning for non-store macOS application management in an on-premises Workspace ONE install, administrators should consider enabling Akamai Content Delivery Network (CDN) integration. With CDN integration enabled, non-store macOS application install binaries are replicated to the CDN. Devices will be redirected by Workspace ONE Device Services servers to an authenticated CDN location to download the binaries from a geographically local content cache.  

For more information, refer to Integrate Workspace ONE UEM with Akamai CDN.

Configuring the Hub Catalog

The Hub Catalog is the Workspace ONE modern application catalog driven by Hub Services. Hub Services co-exist with a Workspace ONE Access tenant, but does not require Workspace ONE Access licensing. With Hub Services configured and enabled, users get access to their Applications via the Workspace ONE Intelligent Hub for macOS.

For more information, see Workspace ONE Hub Services.

Note: If you already have a Workspace ONE Access tenant, you can substitute that information in the following steps.

1. Browse to Configurations

  1. Click Groups & Settings.
  2. Click Configurations.
  3. Scroll down through the list if required.
  4. Select Intelligent Hub.

2. Get Started

Click Get Started.

3. (Optional) Activate Using Workspace ONE Access

If you have a Workspace ONE Access tenant, follow these steps to set up Hub Services with Workspace ONE UEM.  

  1. Enter the URL for your Workspace ONE Access tenant. For example, https://myaccessurl.vidmpreview.com.
  2. Enter a username with administrative privileges for Workspace ONE Access.
  3. Enter the password for the administrative user.
  4. Click Test Connection and ensure the test succeeds.
  5. Click Save.
  6. Skip to View Hub Services Configuration.

4. Activate by Requesting Cloud Tenant

Groups & Settings > Configurations

If you do not have a Workspace ONE Access cloud tenant, click Request Cloud Tenant.

5. Accept Terms of Services

Review the Terms of Services and if you Agree, click Accept.

6. Enter Administrator Details

Enter the details for the administrator account that will be created for your HUB instance:

  1. Enter the Username.
  2. Enter the First Name.
  3. Enter the Last Name.
  4. Enter a valid email address.
  5. Click Next.

7. Select Data Center Location

  1. Select your data center location.
  2. Click Next.

8. View Tenant Name

  1. Observe the Hub Services tenant name that has been created on your behalf.
  2. Click Save.

9. View Hub Services Configuration

  1. Ensure Hub Services activates successfully.
  2. Note the Hub Services URL as populated by entering your Workspace ONE Access credentials or by requesting a tenant.

10. Configure Catalog Settings

  1. Scroll down through the Intelligent Hub settings page if necessary.
  2. Click Configure for Catalog Settings.

11. Modify Catalog Publishing Settings

  1. Under the Publishing tab, ensure the Current Setting is set to Override.
  2. Enter a name for your Application Catalog, for example, Catalog.
  3. Select Disabled for Legacy Catalog (macOS).
  4. Select Enabled for Intelligent Hub Catalog (macOS).
  5. Click Save.

Close the Settings page after you have completed this step.

12. Launch Hub Services

Click Launch.

13. (Optional) Configure Hub Services without Enabling Workspace ONE Access

Within the Hub Services console, you can configure Hub Services per your organization's requirements. Out of the box, the Hub functions without any Hub Services configuration changes. If Workspace ONE Access is not configured, you can manage and modify the following Hub Services settings:

  1. App Catalog: Modify the layout and presentation of apps in the hub catalog.
  2. Branding: Modify the branding settings for the native Intelligent Hub applications and the Hub webpage.
  3. Custom Tab: Define a web page to be shown in the Hub app.
  4. Employee Self-Service: Enable self-service device management for employees via Intelligent Hub.
  5. Notifications: Send basic notifications to employees.

Warning: If you are Using Hub Services Without Enabling Workspace ONE Access, you cannot configure or use People or Virtual Assistance functionality.

Preparing a macOS App for Deployment

In this section, you download the VMware Workspace ONE Admin Assistant tool and use it to prepare a 3rd party macOS app for deployment.

1. Open New Browser Tab

On your macOS device, open a new Safari tab.

2. Download Skitch

Click Download Skitch on the Mac App Store
  1. In Safari, navigate to https://evernote.com/products/skitch.
  2. Click Download for Mac and if prompted click Allow.
  3. Do not download the app from the Mac App Store to complete this exercise.

The ZIP file for Skitch will download to the Downloads folder.

3. Download VMware AirWatch Admin Assistant Tool

In the same tab as you downloaded Skitch, paste the link to the VMware Workspace ONE Admin Assistant tool and press Enter:

https://getwsone.com/AdminAssistant/VMwareWorkspaceONEAdminAssistant.dmg

The DMG file will download to the Downloads folder.

4. Begin VMware AirWatch Admin Assistant Tool Installation

Download the VMware AirWatch Admin Assistant tool and use it to prepare a third-party macOS app for deployment.

On the dock, perform the following steps:

  1. Click the Downloads folder (next to the Trash).
  2. Click VMwareWorkspaceOneAdminAssistant.dmg.

5. Launch Installer Package

Open the VMware AirWatch Admin Assistant.pkg file.

Double-click the VMware Workspace ONE Admin Assistant.pkg file.

6. Continue Installer

Click Continue.

7. Review and Continue Installer

VMware AirWatch Admin Assistant installer prompts
  1. Review the License Agreement and click Continue.
  2. Click Agree if you agree to the license agreement.

8. Install VMware AirWatch Admin Assistant Tool

Install the VMware AirWatch Admin Assistant Tool.

Click Install.

9. Enter Admin Credentials

If prompted for administrative credentials, enter the credentials required to install.

  1. Enter your Admin User Name on the macOS device.
  2. Enter your password for the admin user.
  3. Click Install Software.

10. Close the Installer

  1. Click Close when the installer completes.
  2. Click Move to Trash to clean up the installer.

11. Prepare VMware Admin Assistant Tool

Open VMware AirWatch Admin Assistant Tool
  1. Click the Launchpad on the Dock.
  2. Click VMware Workspace ONE Admin Assistant.

12. Drag and Drop Skitch

Drag Skitch into the AirWatch Admin Assistant
  1. Click the Downloads folder on the Dock.
  2. Click and HOLD Skitch.
  3. Drag-and-drop Skitch onto the VMware AirWatch Admin Assistant in the box.

The VMware Admin Assistant Tool begins parsing the file to extract information necessary to deploy the software.

13. Monitor Process and Reveal Files

Wait for AirWatch Admin Assistant to parse Skitch, a third-party macOS app.
  1. Monitor the progress of the parsing. When it is complete, the wheel changes to a green checkmark.
  2. In the pop-up window, click Reveal in Finder.

14. Review Generated Files

Review Skitch files using munki framework.

In the Finder window:

  1. Change to Column view.
  2. Note the Path of the Output for the Skitch files:  ~/Documents/Workspace ONE Admin Assistant/Skitch-2.8.1
  3. Note the output from the Assistant tool as described here:
Skitch-2.8.1.dmg -- The Application has been packaged into a DMG file.   (Note: MPKG and PKG files will not be modified)
Skitch-2.8.1.plist -- A metadata file (referenced as the pkginfo.plist in munki documentation) which contains information used by the munki framework to determine how to install/uninstall the software
Skitch.png -- An icon image extracted from the app used for user-friendly display in the console and Workspace ONE app for macOS

Important: All output for the Admin Assistant tool follows the convention ~/Documents/Workspace ONE Admin Assistant/{AppName-Version}.  At the time this exercise was created, Skitch was at version 2.8.1.

Deploying a 3rd Party macOS App

In this exercise, deploy Skitch, a third-party macOS application, as an internal application in Workspace ONE UEM.

1. Add Native Internal Application

In the Workspace ONE UEM console:

  1. Click Apps & Books.
  2. Expand Applications.
  3. Click Native.
  4. Click Internal.
  5. Click Add Application.

2. Upload the Application File

Click Upload.

3. Choose File

Click Choose File.

4. Select Application File

  1. Select the Documents folder.
  2. Select VMware AirWatch Admin Assistant.
  3. Select Skitch-{version} (for example, Skitch-2.8.1).
  4. Select Skitch-{version}.dmg.
  5. Click Choose.

5. Save Local File

Click Save.

6. Continue Adding Application

Click Continue.

7. Upload Metadata File

  1. Note the link to directly download the VMware Workspace ONE Assistant (in case you forgot to generate the metadata file and are working from a computer where the VMware Workspace ONE Assistant is not installed).
  2. Click Upload.

8. Choose File

Click Choose File.

9. Navigate to Plist File

  1. Select the Documents folder.
  2. Select VMware AirWatch Admin Assistant.
  3. Select Skitch-{version} (for example, Skitch-2.8.1).

10. Select Plist File

  1. Select Skitch-{version}.plist.
  2. Click Choose.

11. Save Plist File

Click Save.

12. Continue Adding Application

  1. Verify that the Application File is shown.
  2. Verify that the Plist File is shown.
  3. Click Continue.

13. Add Image File

  1. Click the Images tab.
  2. Select Click or Drag Files Here.

14. Navigate to Image File

  1. Select the Documents folder.
  2. Select VMware AirWatch Admin Assistant.
  3. Select Skitch-{version} (for example, Skitch-2.8.1).

15. Select Image File

  1. Select {App Name}.png (for example, Skitch.png).
  2. Click Choose.

16. Review Scripts Tab

  1. Click the Scripts tab.
  2. The Pre-Install Script runs before the Workspace ONE Intelligent Hub runs the dmg/pkg/mpkg file that installs the application and can be used to set up prerequisite items before the installer runs. The pre-install script must have an exit code of zero (0) for the install to proceed.
  3. The Post-Install Script runs after the Workspace ONE Intelligent Hub executes the dmg/pkg/mpkg file. This can be useful for applying configurations after the software completes the installation.
  4. The Pre-Uninstall Script runs before the Workspace ONE Intelligent Hub initiates the uninstall. The pre-uninstall script must have an exit code of zero (0) for the uninstall to proceed.
  5. The Uninstall Method defines how the Workspace ONE Intelligent Hub uninstalls software. Typically, Remove Copied Items is used for a DMG installer, and Remove Packages is used for a PKG installer.  
  6. The Post-Uninstall Script provides a method to validate an uninstall was completed and potentially handle any cleanup for the uninstall.
  7. The Install Check script assists the Workspace ONE Intelligent Hub with determining whether an install needs to happen. This script can be useful for desired state purposes and ensuring that a software install remains intact on a user's machine. If the script has an exit code of zero (0), the agent assumes an Install is needed.
  8. The Uninstall Check Script validates whether an uninstall has occurred. If the script has an exit code of zero (0), the agent determines an uninstall is (or is still) required.

Note: Use the pre and post install scripts to avoid repackaging installers. By including scripts, you can automate tasks that would normally require user input before/after an install.

For more information, see Pre And Postinstall Scripts on the Munki wiki.

Important: Scripts must include the shebang (#!) statement on the first line. Examples include the following:

#!/bin/bash
#!/bin/sh

17. Review Deployment Tab

  1. Click the Deployment tab.
  2. Note the section for Blocking Apps. If you select Yes, enter the name for any apps that should be closed before an app install or upgrade can proceed.
  3. Note the different Restart actions.
  4. Note the section to include conditions which can further constrain the deployment.

For more information, see Conditions on the Munki wiki.

18. Save and Assign Application

  1. Select Terms of Use.
  2. Review the ability to add terms of use to a software title.  
  3. Click Save & Assign.

19. Open Assignment Settings

Click Add Assignment.

20. Configure Assignment Settings

  1. Enter a name for the assignment. For example, All Devices.
  2. Click in the Assignment Group section and select an assignment group. The selected group appears underneath the text box.
  3. Select a time and date to begin the deployment if you do not want to begin immediately.
  4. Select Auto to deliver the app automatically or On Demand (to deliver the app when requested by the user from the catalog).
  5. Enable Display in App Catalog if you want to display the app in the user's app catalog.

21. Configure Restrictions Settings

  1. Click Restrictions.
  2. Enable Remove on Unenroll if you want the Intelligent Hub to remove the application on Unenroll.
  3. Enable Desired State Management if you want the desired state management feature to re-install the app if the user removes it.
  4. Click Create.

22. Save the Assignment

  1. If additional assignments are required, click Add Assignment and repeat the process starting at Configure Assignment Settings.
  2. Click Save.

23. Publish the Application

Click Publish.

24. Review Published Application Information

Review the newly published application.

Validating macOS App Installation

With the macOS device enrolled, the published application should begin downloading and installing immediately if set to Automatic deployment. This exercise helps you to manually validate the application is installing and/or installed.

1. Launch Terminal

  1. Click the LaunchPad on the Dock.
  2. Enter terminal to filter the LaunchPad apps.
  3. Click Terminal.

2. Review ManagedSoftwareUpdate Log

  1. Tail the ManagedSoftwareUpdate.log file by running the following command. Note: The -F parameter means the tail command continually monitors the file for updates (displaying progress as the software installation continues).
tail -n 20 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log 
  1. Search for a line in the results stating Skitch version [version] (or newer) is already installed. This indicates the software has been installed.

Note: The agent initiates a Managed Software Update within the munki framework multiple times. Depending on where the agent is within the process of the install, the tail command may output lines similar to the following:

[Date/Time]    Need to install Skitch
[Date/Time]    Downloading Skitch-2.8.1.dmg from Skitch-2.8.1.dmg
[Date/Time]     The following items will be installed or upgraded:
[Date/Time]         + Skitch-2.8.1
[Date/Time]      Processing installs
[Date/Time]      Installing Skitch (1 of 1)
[Date/Time]     Mounting disk image Skitch-2.8.1.dmg
[Date/Time]     The software was successfully installed.

3. Check for App in the Launchpad

  1. Click the Launchpad icon on the Dock.
  2. Check if the Skitch application is present.

4. Open Workspace ONE Intelligent Hub

  1. Click the Launchpad icon.
  2. If necessary, swipe or click additional pages.
  3. Find and click the Workspace ONE Intelligent Hub to launch the Hub.

5. (Optional) Trigger Application Install from Catalog

  1. Click Apps.
  2. Click the All Apps category (you can optionally organize applications into various categories as shown).
  3. Find the application you have uploaded (in this example, Skitch).
  4. Click Install.
  5. Click Install in the pop-up window.

Note: The Install button changes to Installing during the app installation and then changes to ReInstall when the installation completes.

6. View Installation Monitor Screen

  1. Click the Installation Monitor toggle.
  2. Note the status of the Install as it proceeds.
  3. Click X to close the Installation Monitor.

Key Takeaways

  • macOS applications can be deployed using volume-purchased licenses from the Mac App Store or via internal deployment processes.
  • Detailed status on installation progress is delivered to the end-user using the Workspace ONE native application for macOS (not covered in this exercise).
  • Workspace ONE UEM provides an application catalog to allow user and device specific self-service requests for application installation.

Troubleshooting Non-Store App Deployments

Introduction to Troubleshooting Non-Store Apps

Non-store macOS applications are delivered from Workspace ONE UEM via the Workspace ONE Intelligent Hub. As such, there are some basic prerequisites for macOS Software Delivery to work. If the prerequisites are not met, there may be unexpected behaviors occurring due to the specific installer package that must be worked around.

1. Prerequisites

Non-store macOS apps require the following to work correctly:

Note: AWCM provides notifications to the Intelligent Hub to trigger real-time non-store app installation. In the absence of AWCM, the Intelligent Hub reverts to a scheduled interval to check for new app installation commands.

Determining When to Install Non-Store Apps

When determining whether to install a non-store macOS application, Workspace ONE uses the following information from the manifest PLIST (or the configuration in the console).

Note: The Install Check Script and Installs Arrays are the most flexible methods for determining installation status.

1. Install Check Script

Whether entered in the Scripts tab in the console or entered manually in the PLIST file, the script should exit with a zero (0) return code to trigger an install. The script should include a shebang statement (such as #!/bin/zsh) at the beginning.

2. Installs Array

This key-value pair in the PLIST file specifies identifying information about a binary or file which should be directly compared to determine if the correct version of an app is installed. The "installs" list can contain any number of items. These can be applications, Preference Panes, Frameworks, or other bundle-style items, Info.plists, or simple directories or files. For more information, see How Munki Decides What Needs To Be Installed.

3. Receipts Array

When a package is installed, the installer leaves a receipt and bill of materials file on the machine. Some packages parsed by the Workspace ONE Admin Assistant will include detail on what receipts will be dropped by the installer in the PLIST file. When a PLIST file lacks the install check script or installs array, the lack of specified receipt(s) will trigger an install. For more information, see How Munki Decides What Needs To Be Installed.

 

Troubleshooting Common Installer Problems

This section lists some of the common problems you might encounter when installing a non-store macOS app.

1. Incorrect Application Name in the Application Catalog

Sometimes an installer package parsed by the VMware Workspace ONE Admin Assistant generates a PLIST file where the application name is incorrect. It is also possible that organizations refer to software by a common or colloquial name that is easily recognized by end-users. In either case, administrators can change the name displayed in the Intelligent Hub application catalog before uploading the PLIST to Workspace ONE UEM.

1.1. Open the PLIST Generated by Admin Assistant

Open With
  1. In Finder, browse to the PLIST file for the app in question (usually in ~/Documents/Workspace ONE Admin Assistant/<app name>-<version> ).  
  2. Right-click the PLIST file and select Open With and then select an editor (such as BBEdit).

1.2. Modify Plist File

Modify the string value for the name key-value pair.  

2. Installers with No Package Version

Sometimes an installer package parsed by the VMware Workspace ONE Admin Assistant generates a PLIST file where the version shows Please Edit Me. This problem must be fixed before uploading the plist to Workspace ONE UEM.

2.1. Open the PLIST Generated by Admin Assistant

Open With
  1. In Finder, browse to the PLIST file for the app in question (usually in ~/Documents/Workspace ONE Admin Assistant/<app name>-<version> ).  
  2. Right-click the PLIST file and select Open With and then select an editor (such as BBEdit).

2.2. Modify Plist File

Modify the string value for the version key-value pair.  

3. Installers Requiring Configuration Files

Rather than reading configuration data from CFPreferences or NSUserDefaults (which can be managed by profiles), some installers look for configuration information in specific, hardcoded file locations to pre-configure the software for the end user. This section shows how you can accomodate this scenario in Workspace ONE UEM.

3.1. OPTION 1: Create a Pre-Install Script

Use a Pre-Install script to create the file and populate the contents of that file dynamically. This method eliminates the need to repackaging software to include the configuration file. In the following example script, edit the following:

  1. PATH string.
  2. The ini or xml file name in lines 4 through 6.
  3. The file contents (between the EOM lines).
#!/bin/sh
PATH="/tmp/your-app"
/bin/mkdir -p "$PATH"
/usr/bin/touch "$PATH/cfg.ini"
/bin/chmod 644 "$PATH/cfg.ini"
/bin/cat > "$PATH/cfg.ini" <<- EOM
[customer]
Code=COMPANY_CODE
EOM

3.2. OPTION 2: Leverage Items_To_Copy Array

For DMG-style installers that use scripts with hard-coded paths, leverage the items_to_copy array in the PLIST. To make this work, you must include the following XML content in the PLIST and make the following modifications:

  1. Include the destination directory where you want to copy the files from the mounted DMG (basically, a staging area on the file system).
  2. Include the mode value to set permissions on the copied file.
  3. Include the source item on the mounted DMG.
    Note: You might need to include folder structures if the item is in a subfolder on the mounted DMG.
<key>installer_type</key>
<string>copy_from_dmg</string>
<key>items_to_copy</key>
<array>
    <dict>
        <key>destination_path</key>
        <string>/tmp/</string>
        <key>mode</key>
        <string>644</string>
        <key>source_item</key>
        <string>Installer.pkg</string>
    </dict>
    <dict>
        <key>destination_path</key>
        <string>/tmp/</string>
        <key>mode</key>
        <string>755</string>
        <key>source_item</key>
        <string>scripts/install_unattended.sh</string>
    </dict>
</array>

Gathering Logs

VMware Workspace ONE Intelligent Hub facilitates easy log collection for administrators.  

1. Gather Logs locally on Device

Help
  1. With Intelligent Hub open and the active/focused Window, click the Help menu and click Show Logs in Finder.
  2. After Hub collects the logs, open finder and browse to them (/private/tmp/Hublogs).
  3. Review the ManagedSoftwareUpdate.log file for errors.

2. Send Hub Logs to Console

Help
  1. With Intelligent Hub open and the active/focused Window, click the Help menu and click Collect & Send Logs.
  2. Note the Hub interface is grayed out during log collection.

After the logs are collected, administrators can download the logs in the Workspace ONE UEM console by browsing to Devices > List View > {Specific Device} > Attachments  > Documents. Click the specific log set to download locally on your computer.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to deploy macOS apps for two scenarios:

  • Deploy macOS store applications to devices as volume-purchased apps.
  • Deploy non-store macOS apps as internal apps in Workspace ONE UEM.

Basic troubleshooting for each method was also provided.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

Change Log

The following updates were made to this guide. 

Date Change
08/12/2020

Removed the following chapters

  • Deploying a 3rd Party macOS App 
  • Deploying a 3rd Party macOS App as a Product (Legacy)

Added the following chapters/articles

  • Deploying Store vs Non-Store macOS Apps
  • Deploying Volume-Purchased macOS Apps
  • Troubleshooting Volume-Purchased macOS App Installs
  • Deploying a Non-Store macOS App
  • Troubleshooting Non-Store App Deployments

About the Authors

This tutorial was written by:

  • Robert Terakedis, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
  • Hannah Jernigan, Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Filter Tags

  • Workspace ONE
  • Advanced
  • Operational Tutorial
  • Document
  • Workspace ONE UEM
  • macOS
  • Deploy
  • App & Access Management
  • Business Continuity
  • Office365