Deploying a Third-Party macOS App: Workspace ONE UEM Operational Tutorial

Overview

VMware Workspace ONE® UEM offers application management functionality for managing the deployment of macOS applications to your devices. This functionality supports various application types and deployment scenarios. For macOS, apps are classified as:

  • Internal Apps – Internal apps are non-app store apps uploaded directly into Workspace ONE UEM. These can be internally developed applications, apps imported from an external app repository, or apps downloaded from the Internet and packaged for distribution through Workspace ONE.
  • Purchased Apps – Purchased apps are applications obtained through Apple’s Volume Purchased Program (VPP) or custom B2B apps. These apps are volume-licensed, purchased macOS App Store apps using Apple Business Manager as the delivery method.
  • Web Apps – Web apps are links on the menu of the end-user’s device that give them easy access to a URL or web app.

In this tutorial, you learn how to deploy applications to macOS and enable the unified application catalog in Intelligent Hub. The exercises in this tutorial will focus on the first two app types from the previous list, internal apps, and purchase apps.

Note: This tutorial will not cover web apps. It will focus on application delivery through the SaaS version of Workspace ONE UEM. Although many of the steps are similar for an on-premises instance of Workspace ONE UEM, there are additional processes for on-premises that are not in this tutorial.

Deploying macOS App Store Apps vs Non-App Store Apps

Workspace ONE UEM supports delivering macOS apps that originate from both the macOS App Store and outside the store. 

You can use Workspace ONE UEM to deliver a macOS application using any of the following software delivery methods:

  • Apple Business Manager or Apple School Manager — Delivers macOS App Store applications to devices as volume-licensed, purchased applications. This tutorial will discuss how to deploy a macOS App Store application through Workspace ONE UEM.
  • Software Distribution — Delivers non-store applications as internal apps. We cover the procedure to deliver a non-store macOS application as an internal app in this tutorial.   

The type of macOS app being delivered determines the appropriate delivery method. The following table lists different types of software and their recommended delivery method.

macOS App Store Applications

Non-macOS App Store Applications

Delivery Method

Apple Business Manager

Software Distribution

Examples

  • Xcode 
  • Slack 
  • Microsoft Office for macOS
  • Microsoft Remote Desktop
  • Apple's iWork suite
  • BBEdit
  • Workspace ONE Tunnel
  • iBooks Author
  • Microsoft OneDrive
  • Microsoft OneNote
  • QuickBooks
  • Adobe Creative Suite
  • Microsoft Office (Legacy Versions)
  • BlueJeans
  • Camtasia
  • Audacity 
  • Shell scripts, Python scripts

Supported Capabilities

  • Automatic Updates
  • Automatic Metadata Refresh
  • User or Device Licensing
  • Terms Of Use Management
  • Automatic or On-Demand (Catalog-Requested) Installation
  • NSUserDefaults and CFPreferences Configuration via Custom Settings
  • Version Management and Beta Testing
  • Pre/Post [Un]Install Scripting
  • End-User Blocking App Messaging
  • Terms Of Use Management
  • Restart Management
  • Automatic or On-Demand (Catalog-Requested) Installation
  • NSUserDefaults and CFPreferences Configuration via Custom Settings

Purpose of This Tutorial

This tutorial takes you through the steps for completing the following tasks:

  • Configuring the Hub Catalog.
  • Deploying Volume-purchased macOS apps.
  • Deploying non-store macOS apps.
  • Troubleshooting for both volume-purchased app and non-store app installs.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. 

Both current and new administrators can benefit from using this tutorial. Familiarity with macOS, XML, and basic scripting is assumed.

Knowledge of additional technologies such as VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Prerequisites

This tutorial was developed on the latest version of Workspace ONE UEM and Intelligent Hub at the time of publishing: 

  • Apple device running macOS version 16.1 (Ventura)
  • VMware Workspace ONE Intelligent Hub for macOS version 2208
  • Workspace ONE UEM version 2210 (SaaS)

For more information, see VMware Workspace ONE Access Documentation and VMware Workspace ONE UEM Documentation.

Configuring the Hub Catalog

With Hub Services enabled for Intelligent Hub for macOS, Workspace ONE administrators can customize the Hub Services App Catalog. The Hub Services component co-exists with Workspace ONE Access and must be activated to take advantage of its full functionality. Hub Services, however, can function with Workspace ONE UEM alone, but with limited features – Catalog for UEM apps, Notification, Self-Service Support, and Custom Tab.

Within the Hub Services console, you can configure Hub Services per your organization's requirements. Out of the box, the Hub functions without any Hub Services configuration changes. If Workspace ONE Access is not configured, you can manage and modify the following Hub Services settings:

  1. App Catalog: Modify the layout and presentation of apps in the Hub catalog.
  2. Branding: Modify the branding settings for the native Intelligent Hub applications and the Hub webpage.
  3. Custom Tab: Define a web page to be shown in the Hub app, such as the company homepage or benefits homepage.
  4. Employee Self-Service: Enable self-service device management for employees via Intelligent Hub.
  5. Notifications: Send basic notifications to employees, such as a notification that email is malfunctioning, and Teams or Slack should be used instead.

Graphical user interface, application, website Description automatically generated
 

If you are using Hub Services without enabling Workspace ONE Access, you cannot configure or use People or Virtual Assistance functionality.

This tutorial focuses on the Hub Catalog and will not cover other features of Intelligent Hub. The following procedure focuses on configuring the Catalog, but administrators can access other Hub Services settings from the same location.

Prerequisites

This tutorial assumes that you already have activated Hub Services in your Workspace ONE UEM instance.

Configure the Hub Services App Catalog

To get the desired result, perform the following steps:

  1. On your desktop, double-click the Google Chrome icon.
  2. Go to the VMware Workspace ONE UEM Console.
    For example, go to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console.
  3. Enter your Username, for example, administrator.
  4. Click Next. The Password text box is displayed.
  5. Enter your Password, for example, VMware1!. Click Login.

    Note: If you see a Captcha, be aware that it is case-sensitive.
  6. In the Workspace ONE UEM console, select Groups & Settings. Then select Configurations.
  7. Scroll through the list and click on Intelligent Hub. Then click Launch.
  8. Click Begin if you are shown the Introductory page.
  9. From the Configuration Checklist, click Configure for App Catalog.

Graphical user interface, application Description automatically generated

  1. Ensure the version is set to Global (1).

    Note: The Version link allows you to create multiple sets of App Catalog settings, which can be useful if you want the App Catalog to appear differently for different sets of devices or users.
  2. Ensure macOS (2) is enabled.
  3. Note the Grab area (3) which allows you to rearrange sections in the catalog layout.
  4. Note the X's (4) which allow you to remove sections from the catalog layout.
  5. Click Add Section (5) to add sections to the app catalog (such as sections for a specific app category).
  6. Enable Show Favorites Tab (6) to allow users to select the apps they want to display in their favorites list.
  7. Enable Show Virtual Apps On Devices (6) to show virtual apps on mobile devices and small screens.
  8. Enable App Ratings (6) if you want to collect data from users on which apps they like and/or are working well. You can optionally click the Download button to download a report of the ratings.
  9. Click Save to set the global default app catalog settings.

Graphical user interface, application, Teams Description automatically generated

Deploying Volume-Purchased macOS Apps

If you plan to distribute App Store applications to your macOS device, you will need to use Apple’s Volume Purchase Program (VPP). To do this, you must integrate Apple Business Manager with your Workspace ONE UEM instance.

Apple Business Manager allows organizations to purchase, in volume, any free or paid App Store applications for distribution at the existing App Store price. To use Apple’s VPP, you will need an Apple Business Manager account.

The next exercises walk you through the following tasks:

  • Adding an Apple Business Manager location token to Workspace ONE UEM.
  • Syncing volume purchased licenses.
  • Bulk-enabling device-based licensing.
  • Assigning volume-purchased apps to devices
  • Updating volume-purchased apps.

Adding a Location Token to Workspace ONE UEM

An Apple Business Manager (or Apple School Manager) location is a container that ties a set of books and apps to one or more content managers. Each location has a token that can be uploaded to Workspace ONE to allow App and Book management within the Workspace ONE UEM organization group. The token provides the credentials by which Workspace ONE authenticates to Apple Business Manager to sync assets and manage license assignments.

To get the desired result, perform the following steps:

  1. On your desktop, double-click the Google Chrome icon.
  2. Navigate to the Apple Business Manager Console. At the time this document was created, the URL for Apple Business Manager was https://business.apple.com. Note, this may have changed since this document was published.
  3. Enter your managed Apple ID.
  4. Click the arrow. Enter your managed Apple ID password in the Password text box.
  5. Click the arrow to log in.

Text Description automatically generated with medium confidence

  1. In the bottom left-hand corner of the screen, click your account name and select Preferences from the pop-up menu.
  2. Click Payments and Billing.
  3. Click Download for the Server Token next to your Location.

Graphical user interface, text, application, email Description automatically generated

  1. In the Workspace ONE UEM console, click Groups & Settings.
  2. Click Configurations, and scroll through the list until you find VPP Managed Distribution.
  3. Click VPP Managed Distribution.
  4. If not already set, change the Current Setting to Override.
  5. Enter a Description. Usually, this would be the same as the location name listed in Apple Business Manager, but you have the option to provide a different value.
  6. Click Upload.
  7. In the dialog box, click Choose File. Browse to and select the vpptoken file downloaded earlier from Apple Business Manager, and select Choose.
  8. Click Save.
  9. Click Save.

Note: If you unexpectedly receive a message about the sToken being used in another environment, click Cancel. An Apple Business Manager (or Apple School Manager) location can be managed by only one (1) MDM or UEM system at a time. You should resolve the reason for this message before attempting to upload the Token. Alternatively, create a new location in Apple Business Manager.

Instead of uploading the same Token in both your Testing and Production Workspace ONE UEM instances, you should create a second location in Apple Business Manager. Within Apple Business Manager, you can allocate unused licenses between locations allowing you to purchase additional licenses (or move a subset) into your second Location for testing.

Syncing Licenses from Apple Business Manager

By default, Workspace ONE syncs managed distribution licenses for custom apps and volume-licensed public apps daily. The sync is scheduled automatically, allowing Workspace ONE to reconcile newly purchased licenses and updated metadata (descriptions and images). When you upload a location token, you can speed up this process by manually initiating a license sync.

To get the desired result, perform the following steps:

  1. In the Workspace ONE UEM console, click Resources.
  2. Expand Apps and click Native.
  3. Click Purchased.
  4. To sync licenses with Apple Business Manager, click the Sync Assets button.
  5. Give the sync process a minute to complete, and then click the Refresh button to view the assets that have been updated.

Graphical user interface, application Description automatically generated

Bulk-Enabling Device-Based Licensing

Managed distribution licenses can be assigned on a per-user, or per-device basis. For the per-user licensing model, the end-user of the device is prompted to enter their Apple ID credentials into the device to assign the license. In other words, per-user license distribution requires that all users have an Apple ID. In the per-device licensing model, managed distribution licenses are assigned directly to the device regardless of whether the user has entered Apple ID information. The end user is not required to have an Apple ID for the app to be assigned to the device and installed from the App Store. It should be noted that if you convert an application to device-based licensing, you cannot revert it back to user-based licensing.

To get the desired result, perform the following steps:

  1. In the Workspace ONE UEM console, click Resources.
  2. Expand Apps and click Native.
  3. Select Purchased.
  4. Select one or more Public and/or Custom Apps.
  5. Click Enable Device Assignment.

    Note: If this button is not visible, click More Actions, and you’ll find Enable Device Assignment listed on the dropdown.

Graphical user interface, application Description automatically generated

  1. When prompted, click OK to enable device-based licensing for the selected apps.

Assigning Volume-Purchased Apps to Devices

In this activity, you select the volume-purchased apps you want to assign to your devices and configure distribution for that assignment.

  1. In the Workspace ONE UEM console, click Resources.
  2. Expand Apps and click Native.
  3. Select Purchased.
  4. Optionally, click Filters, expand Platform, and select Apple macOS to constrain the list to ONLY macOS apps.
  5. Click the volume-licensed app you want to assign (Tunnel - Workspace ONE in this example).
  6. Click Details.
  7. Select a category for the app from the dropdown. In this example, you can assign Utilities (System) to the Tunnel – Workspace ONE app.

Graphical user interface, application Description automatically generated

  1. Optionally, you can assign an Application Terms of Use by clicking the Terms of Use tab and selecting an existing Terms of Use from the dropdown. You can also create a new Terms of Use by clicking the Manage Terms of Use button.
  2. Click Save & Assign.
  3. Click Add Assignment.
  4. Enter a name for the Distribution. For example, All macOS Devices.
  5. Enter a name of an assignment group to allocate licenses.
  6. Enter the number of licenses to allocate to the Assignment group.
  7. If required, click Add and repeat steps 2 and 3 to allocate licenses to another assignment group.
  8. Select Auto to deliver the app automatically or On Demand (to deliver the app when requested by the user from the catalog).

Graphical user interface, application Description automatically generated

  1. Click Create.
  2. If necessary, you can click Add Assignment to add another assignment for the app.
  3. You can use the dropdowns in the Priority column to modify the priority of the assignment. This helps determine how the app is assigned if a device has membership to multiple assignments.

Graphical user interface, text, application Description automatically generated

  1. Click Save.
  2. Click Publish.

Updating Volume-Purchased Apps

Volume-purchased applications (iOS, macOS, and tvOS) always install the current App Store version of the application at the time the install occurs. Imagine the following scenario where the current App Store version of an application is 1.0 on Monday, but then becomes 1.1 on the following Monday. Any device where Workspace ONE UEM triggers an application install from Monday through Sunday would install version 1.0. However, on the following Monday (and going forward until the next version update), any devices where Workspace ONE UEM triggers an application install would install version 1.1. Put differently, Workspace ONE administrators must update pre-existing application installs as developers publish updated application versions in the App Store. Although end-users may have the ability to perform the application updates, they might not perform the updates consistently as desired by the organization's administrator(s).

With Workspace ONE UEM, administrators can configure Volume-Purchased apps to update on a one-time basis or automatically. When an app is set to automatically update, Workspace ONE continuously monitors for updated app versions in the App Store and triggers install commands to devices with an older version installed.

To get the desired result, perform the following steps:

  1. In the Workspace ONE UEM admin console, click Resources.
  2. Expand Apps and Click Native.
  3. Click Purchased.
  4. Click Filters, expand Platform, and select Apple macOS to constrain the list to ONLY macOS apps.

    Note: If an app displays Update Available, indicating there is a newer version on the App Store than what is installed on some or all enrolled devices.
  5. Select the volume-licensed app you want to assign (Keynote in this example).
  6. Click Update App.

Graphical user interface, application Description automatically generated

  1. Click OK when prompted to confirm the action.
  2. If you would like to configure the app to auto-update, select the volume-licensed app you want to assign (Keynote in this example).
  3. Click More Actions.
  4. Click Enable Auto Updates.
  5. Click OK when prompted to confirm the action.
  6. You can monitor the update process by selecting the app and clicking Manage Devices.
  7. Observe the Install commands.

Graphical user interface, text, application, email Description automatically generated

  1. Close the window when complete.

    Note: The command remains queued for the device until it is processed successfully or fails with an unknown error.  If the device cannot immediately process the command, Workspace ONE will continue to queue the command. Upon the next notification to check in (or after the device is unlocked), the device will attempt to re-process the command.

Volume-Purchased App Troubleshooting

As organizations deliver volume-purchased apps from Apple Business Manager, some unexpected issues may arise. This article addresses some common issues affecting volume-purchased app delivery.

Newly Purchased Apps Not Syncing to Workspace ONE UEM

This error is typically the result of one of the following issues:

  • Delays in Apple Business Manager from when you purchase the app to when the licenses are allocated to the Location Token.
  • Apple has released new Terms & Conditions in Apple Business Manager. 
    • To resume syncing, log in to Apple Business Manager with an account granted the Administrator role, and accept the updated Terms & Conditions.
  • The location token downloaded from Apple Business Manager and uploaded to Workspace ONE UEM has expired. 
    • Download a new server token from Apple Business Manager (under Settings > Apps & Books) and upload it to Workspace ONE UEM.

Device-Based Licensed Apps Not Installing

If you have assigned an app to a device using device-based assignment, one of the following could be an issue:

  • If the user is getting a prompt to log in with an Apple ID, there is most likely an assignment that was made to the user before the device-based assignment was created. 
    • Unassign the app from the user completely before you attempt to reassign the app to the device.
  • Ensure that an adequate number of licenses are available to assign to the device.
  • Ensure that the device has access to vpp.itunes.apple.com.
  • The location token downloaded from Apple Business Manager and uploaded to Workspace ONE UEM has expired. 
    • Download a new location token for that same location from Apple Business Manager (under Settings > Apps & Books) and upload it to Workspace ONE UEM.

Volume-Purchased Apps Not Removing from macOS

When a VPP app for macOS is no longer scoped to the device or user, or the device is enterprise wiped, the app is not removed from macOS. This is by design in macOS versions prior to macOS 11 (Big Sur), as these earlier versions of macOS did not support any commands to remove the application.

Deploying Non-App Store macOS Apps

Workspace ONE UEM provides a flexible deployment mechanism for Non-App Store applications to macOS devices. Through its integration with the open-source tool Munki, Workspace ONE UEM can deploy and manage all macOS application types (.dmg, .pkg, .mpkg). In Workspace ONE, these non-app store applications are called Internal Apps.

Note: If you are using an on-premises version of Workspace ONE UEM, you will need to configure file storage to store large macOS applications and configure a Content Delivery Network (CDN). SaaS-based instances of Workspace ONE UEM come with storage already configured. This tutorial is focused on the SaaS-based version of Workspace ONE UEM and will not cover the configuration of file storage and CDN for on-premise versions.

For information about configuring file storage for an on-premises instance of Workspace ONE UEM, see Installation File Path in the VMware product documentation.

Enable macOS Software Management

To begin deploying non-app store applications through Workspace ONE UEM, you must enable Software Management for Apple macOS. If you are using a SaaS-based version of Workspace ONE UEM, this is enabled by default.

To enable macOS Software Management, perform the following steps:

  1. In the Workspace ONE UEM console, click Groups & Settings.
  2. Expand Devices & Users, then click Apple.
  3. Expand Apple macOS.
  4. Select Software Management.
  5. Select Override.
  6. Select Enabled for Enable Software Management.


Graphical user interface, text, application Description automatically generated 

  1. Click Save.

Preparing a Non-App Store App for Deployment

In this exercise, you will download the Workspace ONE Admin Assistant Tool and prepare the VMware Horizon Client for deployment through Workspace ONE UEM. Then, you will import the Horizon Client application into Workspace ONE UEM.

For this exercise, you will need to download the latest VMware Horizon Client for macOS. As of the date this document was published, the Horizon Client was available for download from here.

To get the desired result, perform the following steps:

  1. On a macOS device, double-click the Google Chrome icon.
  2. Navigate to the VMware Workspace ONE Admin Assistant Tool download website.
  3. At the time of this document’s creation, the URL for the website was: https://my.workspaceone.com/products/Workspace-ONE-Admin-Assistant-Tool.
  4. Select macOS for the platform. Choose the latest version listed on the App Version dropdown. And select All to filter by console version.

Graphical user interface, text, application, email Description automatically generated

  1. Click Installs and Upgrades.
  2. Click the latest version listed.
  3. Read and accept End-User License Agreement.
  4. Launch the downloaded DMG file and double-click on the VMware Workspace ONE Admin Assistant package file.
  5. Accept the default options for installation and install the application on your macOS device.
  6. When the installation is complete, launch the Workspace ONE Admin Assistant located in your Applications folder.
  7. Drag and drop the DMG file for the Horizon Client into the Admin Assistant tool. When the tool has finished parsing, click the folder icon next to the listed DMG file.

Graphical user interface, application, PowerPoint Description automatically generated

Note: The folder will contain three files: a PLIST file, a PNG file, and a DMG file.
Graphical user interface, text, application Description automatically generated 

Deploying a Third-Party macOS App

  1. In the Workspace ONE UEM console, select Resources. Then select Apps.
  2. Select Native, and then click Internal.
  3. From the Add dropdown menu, select Application File.
  4. Click Upload and select Choose File. Navigate to the folder that was created by the Workspace ONE Admin Assistant. Choose the DMG file and click Upload.
  5. Click Save.
  6. After the upload has been completed, click Continue.
  7. You will upload the Metadata file by clicking Upload and choosing the PLIST file from the same folder. Click Save.
  8. After the upload has been completed, click Continue.
  9. Click Images and then select Click or drag files here to add the PNG file from the same folder as the other files.

Graphical user interface, application Description automatically generated

  1. Click Scripts.
  2. The Pre-Install Script runs before the Workspace ONE Intelligent Hub runs the dmg/pkg/mpkg file that installs the application. The pre-install script can be used to set up prerequisite items before the installer runs. The pre-install script must have an exit code of zero (0) for the install to proceed.
  3. The Post-Install Script runs after the Workspace ONE Intelligent Hub runs the dmg/pkg/mpkg file. This can be useful for applying configurations after the software completes the installation.

  1. The Pre-Uninstall Script runs before the Workspace ONE Intelligent Hub initiates the uninstall. The pre-uninstall script must have an exit code of zero (0) for the uninstall to proceed.
  2. The Uninstall Method defines how the Workspace ONE Intelligent Hub uninstalls software. Typically, Remove Copied Items is used for a DMG installer, and Remove Packages is used for a PKG installer.
  3. The Post-Uninstall Script provides a method to validate an uninstall was completed and potentially handle any cleanup for the uninstall.

Graphical user interface, application Description automatically generated

  1. The Install Check script assists the Workspace ONE Intelligent Hub with determining whether an install needs to happen. This script can be useful for desired state purposes and ensuring that a software install remains intact on a user's machine. If the script has an exit code of zero (0), the agent assumes an Install is needed.
  2. The Uninstall Check Script validates whether an uninstall has occurred. If the script has an exit code of zero (0), the agent determines an uninstall is (or is still) required.

Graphical user interface, application Description automatically generated

Note: Use the pre and post install scripts to avoid repackaging installers. By including scripts, you can automate tasks that would normally require user input before/after an install.

  1. Click Deployment.
  2. Note the section for Blocking Applications. If you select Yes, enter the name of any apps that should be closed before an app install or upgrade can proceed.
  3. Note the different Restart actions.
  4. Note the section to include conditions that can further constrain the deployment.

Graphical user interface, application Description automatically generated

  1. Optionally, you can assign an Application Terms of Use by clicking Terms of Use and selecting an existing Terms of Use from the dropdown. You can also create a new Terms of Use by clicking the Manage Terms of Use button.
  2. Click Save & Assign.
  3. Enter a name for the assignment. For example, All macOS Devices.
  4. Click in the Assignment Group section and select an assignment group. The selected group appears underneath the text box.
  5. Select a time and date to begin the deployment if you do not want to begin immediately.
  6. Select Auto to deliver the app automatically or On Demand (to deliver the app when requested by the user from the catalog).
  7. Enable Display in App Catalog if you want to display the app in the user's app catalog.

Graphical user interface, text, application, email Description automatically generated

  1. Click Create.
  2. If additional assignments are required, click Add Assignment and repeat the process you just stepped through. When all assignments have been created, click Save.
  3. Click Publish.

Validating macOS App Installation

If your macOS device is enrolled in Workspace ONE UEM, the published application should download and install immediately if the app is set for Automatic download (see step 27 of Deploying a Third-Party macOS App). This exercise explains how you can manually validate that the application was installed.

  1. On the macOS device, click Launchpad in the Dock. Enter terminal to filter the Launchpad apps.
  2. Click Terminal.
  3. You will run a tail command on the ManagedSoftwareUpdate.log file to monitor the progress of the installation. In the terminal window, enter the following command.

    tail -n 20 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log

Note: The -F parameter means the tail command will continually monitor the file for updates.

  1. Search for a line in the results stating VMware Horizon Client version 8.6.0 (or newer) is already installed. This indicates that the software has been installed on the macOS device.

Graphical user interface, text, application Description automatically generated

  1. To further confirm the application is installed, click Launchpad in the Dock.
  2. Search for your installed app. In this example, the Horizon Client.
  3. Check that the VMware Horizon Client application is present.

Troubleshooting Non-App Store Deployments

Non-store macOS applications are delivered from Workspace ONE UEM by the Workspace ONE Intelligent Hub. As such, there are some basic prerequisites for macOS software delivery to work. If the prerequisites are not met, there might be unexpected behavior due to the specific installer package that must be worked around.

Non-store macOS apps require the following to work correctly:

Note: AWCM provides notifications to the Intelligent Hub to trigger real-time non-store app installation. In the absence of AWCM, the Intelligent Hub reverts to a scheduled interval to check for new app installation commands.

Gathering Logs

  1. Launch Intelligent Hub, and click the Help menu.
  2. If necessary, expand Debug Session and click Start Session to enable debug (verbose) logging
  3. To collect hub/debug logs, click Show Logs in Finder.

Graphical user interface, application Description automatically generated

  1. After Hub collects the logs, Finder opens to /private/tmp/.  Note the Hublogs folder, and the pre-zipped archive file (containing the contents of the Hublogs folder)
  2. Review the ManagedSoftwareUpdate.log file for errors.
  3. You can also send the log files to the Workspace ONE UEM console by clicking Collect & Send Logs from the Help menu in Intelligent Hub.

Note: After the logs are collected, administrators can download the logs in the Workspace ONE UEM console by clicking Devices, then List View. Select the specific device, then click Attachments. The log files can be found under Documents. Click the specific log set to download locally on your computer.

Determining When to Install Non-App Store Apps

When determining whether to install a non-store macOS application, Workspace ONE uses the following information from the manifest PLIST (or the configuration in the console).

Note: The Install Check Script and Installs Arrays are the most flexible methods for determining installation status.

  1. Install Check Script - Whether entered in the Scripts tab in the console or entered manually in the PLIST file, the script should exit with a zero (0) return code to trigger an install. The script should include a shebang statement (such as #!/bin/zsh) at the beginning.
  2. Installs Array - This key-value pair in the PLIST file specifies identifying information about a binary or file which should be directly compared to determine if the correct version of an app is installed. The installs list can contain any number of items. These can be applications, Preference Panes, Frameworks, or other bundle-style items, Info.plists, or simple directories or files.

  1. Receipts Array - When a package is installed, the installer leaves a receipt and bill of materials file on the machine. Some packages parsed by the Workspace ONE Admin Assistant will include detail on what receipts will be dropped by the installer in the PLIST file. When a PLIST file lacks the install check script or installs array, the lack of specified receipt(s) triggers an install.

Troubleshooting Non-App Store Installer Problems

This section lists some of the common problems you might encounter when installing a non-store macOS app.

Incorrect Application Name in the Application Catalog

Sometimes an installer package parsed by the VMware Workspace ONE Admin Assistant generates a PLIST file where the application name is incorrect. It is also possible that organizations refer to software by a common or colloquial name that is easily recognized by end users. In either case, administrators can change the name displayed in the Intelligent Hub application catalog before uploading the PLIST to Workspace ONE UEM.

  1. In Finder, browse to the PLIST file generated by the Admin Assistant for the application in question.
  2. Right-click the PLIST file and select Open With, and select a text editor (such as TextEdit or BBEdit).
  3. Modify the string value for the name key-value pair.

Text Description automatically generated

Installers with No Package Version

Sometimes an installer package parsed by the VMware Workspace ONE Admin Assistant generates a PLIST file where the version shows Please Edit Me. This problem must be fixed before uploading the PLIST to Workspace ONE UEM.

  1. In Finder, browse to the PLIST file generated by the Admin Assistant for the application in question.
  2. Right-click the PLIST file and select Open With, and select a text editor (such as TextEdit or BBEdit).
  3. Modify the string value for the version key-value pair.

Text Description automatically generated

Installation is Looping (Always “Installing”)

In some instances, an application successfully installs but the Intelligent Hub continually reports the app as "Installing". If you look in the ManagedSoftwareUpdate.log file (see Gathering Logs), you'll see the app is constantly marked for installation each time the Hub checks for installed software. This is typically the result of a metadata PLIST that doesn't contain the correct receipt or installs arrays. In this instance, you must make one of the following changes to the metadata PLIST generated by Workspace ONE Admin Assistant:

  1. Validate or Add an Installs Array as discussed in Determining When to Install Non-Store Apps.
  2. Add an Install Check Script (and ensure it returns a zero (0) value return code when an install should proceed).

App-Specific Deployment Guidance

This section contains deployment guidance for certain applications.

Deploying Microsoft Office for macOS

A common question often asked is whether to deploy Microsoft Office for macOS from the Mac App Store using Apple’s Volume Purchased Program or via internal Apps using the downloaded *.pkg installer. This section provides guidance as to which version to deploy.

Using Mac App Store Deployment (Volume-Purchased)

Using Internal App (*.pkg) Deployment

  • Deploy the most recent current channel release
  • Users MUST be Office 365 or Microsoft 365 licensed on a plan that includes downloadable apps
  • Large installer caching via macOS Caching Services
  • Automated software updates via Mac App Store
  • Deploy specific non-current Office versions, or beta/preview (Insiders) versions
  • Deploy to users with O365, M365, or Microsoft Volume Licenses (using the VL Serializer)
  • Scripted Updates via Microsoft AutoUpdate (MAU) tool
  • Scripted install directly from Microsoft CDN.

Summary and Additional Resources

This operational tutorial provided steps to deploy macOS apps using Workspace ONE UEM for two scenarios:

  • Deploy macOS store applications to devices as volume-purchased apps.
  • Deploy non-store macOS apps as internal apps in Workspace ONE UEM.

The tutorial also discussed basic troubleshooting of some common issues for each method.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

For more information on macOS, see Understanding macOS Management.

You may also wish to read these additional operational tutorials from macOS on VMware Tech Zone.

Date

Change

12/05/2022

Updates to all sections

  • Updated screenshots
  • Removed reference to on-premises Workspace ONE UEM
  • Added additional detail to step-by-step instructions

Removed the following chapters

  • (Optional) Configuring Additional Hub Services
  • Common Non-Store App Deployment Use-Cases

08/27/2021

Updates to all sections

  • Updated Screenshots
  • Clarifications and Minor Verbiage changes

Added the following chapters/articles

  • Configuring the Hub Catalog

06/02/2021

Adding the following chapters/articles

  • Common Non-Store App Deployment Use-Cases

03/16/2021

Added the following chapters/articles

  • App-Specific Deployment Guidance

08/12/2020

Removed the following chapters

  • Deploying a 3rd Party macOS App 
  • Deploying a 3rd Party macOS App as a Product (Legacy)

Added the following chapters/articles

  • Deploying Store vs Non-Store macOS Apps
  • Deploying Volume-Purchased macOS Apps
  • Troubleshooting Volume-Purchased macOS App Installs
  • Deploying a Non-Store macOS App
  • Troubleshooting Non-Store App Deployments

03/15/2019

  • Initial release

About the Authors

The latest version of this tutorial was written by:

  • Michael Bradley, Senior Technical Marketing Architect, End-User-Computing Technical Marketing, VMware

This tutorial was originally written by:

  • Robert Terakedis, VMware Alumni
  • Hannah Jernigan, Team Lead, Content Management, End-User-Computing Technical Marketing, VMware

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Intermediate macOS