Deploying Microsoft 365 Apps for Mac with Microsoft Endpoint Manager – A Deep Dive

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

By Neil Johnson – Principal Program Manager | Microsoft Endpoint Manager – Intune

 

Microsoft 365 for Mac, or Microsoft 365 apps for Mac as it’s now known, is a key part of any Microsoft 365 deployment. The Office team has been hard at work making our Mac story the best it possibly can be over the past few years.

 

The current version has been redesigned based on our Fluent UI which matches Apple’s new Big Sur UI. It makes native use of Apple Silicon processors for improved performance and battery life, but how do you get it deployed to your users?

 

This article covers all the options available, the advantages and disadvantages of each of them, and why you would choose one over the others. We wrap up with guidance over the scenarios each one might be best used for.

 

Microsoft 365 Apps for Mac deployment methods via Intune

There are three different mechanisms that we can use within Microsoft Intune to get Microsoft 365 Apps deployed to Macs. Each has its own advantages and disadvantages.

 

  1. Mac App Store via Volume Purchase Program (VPP)
  2. Microsoft Content Delivery Network
  3. Intune Scripting Agent for Mac

Let’s look at each of these in turn.

 

1. Deploying Microsoft 365 Apps for Mac via Volume Purchase Program (VPP)

Microsoft 365 for Mac is published to the Mac App Store, which means that end users can install it themselves if they have an Apple ID. Additionally, if you have an Apple Business Manager account, you can use Intune to push apps from the Mac app store directly to your devices.

 

Microsoft 365 app suite in the macOS App StoreMicrosoft 365 app suite in the macOS App Store

Steps to deploy Office via Apple Volume Purchase Plan (VPP)

This method is dependent on having an Apple VPP token configured already. Before following these steps ensure that you’ve followed our documentation on this here.

 

Once you have an Apple Business Manager VPP token synchronised with Intune, you can use the following steps to license and assign Office Apps to your users.

 

  1. Open https://business.apple.com/#main/appsandbooks
  2. Click in the search menu box, change Type to "Mac" and search for "Microsoft".

    Microsoft apps in the Apple Volume Purchase Plan (VPP) Apps and Books consoleMicrosoft apps in the Apple Volume Purchase Plan (VPP) Apps and Books console
  3. Select the Application that you want to assign licenses to.
  4. Assign the Application to your organization and enter in the number of licenses that you need. Since there’s no cost for these apps it makes sense to enter more licenses than you will need (within reason).

    Example screenshot of purchasing the Microsoft Word app with license countExample screenshot of purchasing the Microsoft Word app with license count
  5. Once you have entered the values, click Get. The Application will temporarily show as Processing.

    Example screenshot of the Microsoft Word app "Processing".Example screenshot of the Microsoft Word app "Processing".
  6. After a few minutes it will update and show the number of licenses you have available.

    Example screenshot of available licenses for the Microsoft Word appExample screenshot of available licenses for the Microsoft Word app
  7. Repeat the process for the other applications that you intend to use.
  8. Open the Microsoft Endpoint Manager admin center and select Tenant Administration > Connectors and tokens > Apple VPP Tokens.

  9. Select the Token you want to sync and click Sync in the ellipsis menu.

    Available Apple VPP Tokens and Sync button location in the MEM admin centerAvailable Apple VPP Tokens and Sync button location in the MEM admin center

  10. Still in the Microsoft Endpoint Manager admin center open Apps > macOS and filter for unassigned apps then type "Microsoft" into the search bar.

    macOS apps and Filter location in the MEM admin centermacOS apps and Filter location in the MEM admin center
  11. Select each app that you wish to deploy and assign it to an Azure AD group.
  12. Select the Application > Properties > Assignments (right at the bottom) > Edit.
  13. Under "Required" select Add group and search for the right group in Azure AD.
  14. Configure the assignment settings and click OK.
    • Assignment Settings > Mode = Included
    • App settings > License type = Device Licensing
    • App settings > Uninstall on device removal = Yes
  15. Click "Review and Save". After review click "Save" to complete the assignment.
  16. Repeat the assignment for the rest of the Office apps that you want to be deployed.
  17. To check the configuration, trigger an MDM sync on a user’s device that was assigned the applications. The apps should begin to download and install within a few minutes of the sync completing.

Advantages Disadvantages
  • It makes use of Apple’s content caching, which can greatly improve deployment efficiency (Note: Intune can also be used to configure your content caches)
  • It’s possible to deploy the individual apps.
  • Easy to configure if you already have Apple Business Manager.
  • You can configure the apps to uninstall on unenrollment.
  • You can send an uninstall command to remove unwanted apps.
  • Teams is not yet in the Mac App Store (could be deployed via scripting agent)
  • You cannot control which update channel to use.
  • When OneDrive is deployed via VPP it will have a different bundleID than if it was installed via a standalone installer.
    • VPP: com.microsoft.OneDrive-mac
    • CDN:com.microsoft.OneDrive
  • Updates via this approach can be unpredictable, especially if apps are permanently open.

 

If you require a relatively simple deployment of the Microsoft 365 App suite and have investments in both Apple Business Manager and Apple Content caching, then this mechanism of Microsoft 365 Apps for macOS deployment may be the most suitable.

 

2. Deploying Microsoft 365 Apps for Mac via the Microsoft Content Delivery Network

This mechanism is supported natively by Microsoft Intune. It is as simple as checking a box and providing a group of users to deploy it to. Those users will receive the entire Microsoft 365 Apps (which includes Teams and the Microsoft Auto update tool).

 

Steps to deploy Office via the Microsoft Content Delivery Network

  1. Open the Microsoft Endpoint Manager center  and select Apps > macOS > Add
  2. Under Select "App Type" choose Microsoft 365 Apps > macOS

    Selecting the Microsoft 365 Apps in the MEM admin centerSelecting the Microsoft 365 Apps in the MEM admin center
  3. Adjust the Suite description details as required and click Next to continue.

    Microsoft 365 Apps for macOS - App properties in the MEM admin centerMicrosoft 365 Apps for macOS - App properties in the MEM admin center
  4. Assign Scope Tags if you need them, click Next.
  5. Under Required click "Add group" and search for an appropriate group to target the Microsoft 365 Apps for Mac to.

    Microsoft 365 App Suite for macOS - Assignment properties in the MEM admin centerMicrosoft 365 App Suite for macOS - Assignment properties in the MEM admin center
  6. Click Next, review, and then click Create to assign the Microsoft 365 Apps to the Azure AD group.
  7. To check the configuration, trigger an MDM sync on a user’s device that was assigned the applications. The apps should begin to download and install within a few minutes of the sync completing.

 

Note: This process will install the entire Microsoft 365 Apps for macOS suite, including Teams. However, it is possible to control which apps are installed via plist. We have a sample plist for this on our GitHub repo here. The instructions for deploying a preference file can be found here.

 

Advantages Disadvantages
  • Easy to deploy.
  • Includes the Microsoft Autoupdate (MAU) tool which can be configured via plist to auto update and deploy insider builds of Office for testing to some users (covered later).
  • Possible to create a local MAU cache server for updates.
  • Large initial download size (1.8GB) and doesn’t use local caching.

 

If you don’t have Apple Business Manager or Apple Content caching and you need the entire suite, plus Teams, this is probably the easiest way to get Office 365 Business Pro for Mac installed.

 

3. Deploying Microsoft 365 Apps for Mac via the Intune Scripting Agent for Mac

This approach uses the Intune scripting agent to download and install the Office suite or individual apps. There are examples of this approach on our Intune Shell Samples GitHub Repo.

 

Our GitHub Repo has two main scripts that help in this circumstance.

  1. Deploy entire Office Suite
  2. Deploy individual Office Suite apps

 

These two scripts do the same thing. Once they are deployed onto the Mac, they attempt to download the installer package and then install it. The main benefit here is that you get additional flexibility about the installation process.

 

This is a sample of some code from installOfficeBusinessPro.sh which will look for a local copy of the installer before downloading from the CDN servers. You would need to handle the downloading of the latest installer package regularly. We have an example script to do this here.

 

 

 

localcopy="http://192.168.68.150/OfficeforMac/OfficeBusinessPro.pkg” weburl="https://go.microsoft.com/fwlink/?linkid=2009112" tempfile="/tmp/office.pkg" # # Check to see if we can access our local copy of Office # curl -s --connect-timeout 30 --retry 300 --retry-delay 60 -L -o $tempfile $localcopy if [ $? == 0 ]; then echo "$(date) | Local copy of $appname downloaded at $tempfile" else echo "$(date) | Couldn't find local copy of $appname, need to fetch from CDN" echo "$(date) | Downloading $appname from CDN" curl -s --connect-timeout 30 --retry 300 --retry-delay 60 -L -o $tempfile $weburl if [ $? == 0 ]; then echo "$(date) | Success" else echo "$(date) | Failure" exit 5 fi fi

 

 

 

The Individual Office apps script has an array that you can specify the specific applications that you want to use. The entries within this array are the <id> values from here.

 

 

# Edit AppstoInstall array with "id" values from https://macadmins.software/latest.xml for the apps you want to install # Note: This script only handles installation of pkg files, DMG and ZIP files will NOT work. AppsToInstall=( "com.microsoft.word.standalone.365" "com.microsoft.excel.standalone.365" "com.microsoft.powerpoint.standalone.365" "com.microsoft.outlook.standalone.365" "com.microsoft.onenote.standalone.365" "com.microsoft.onedrive.standalone" "com.microsoft.skypeforbusiness.standalone" "com.microsoft.teams.standalone" )

 

 

 

Steps to deploy Microsoft 365 Apps for Mac via the Intune Scripting agent

Example: Deploying Outlook, Word, PowerPoint, and OneDrive to a Mac via the scripting agent.

  1. Download a copy of our sample file installOfficeSuiteIndividualApps.sh and save it to your device.
  2. Open the file in your text editor of choice and modify the AppsToInstall array to only include Outlook, Word, PowerPoint and OneDrive.
    # Note: This script only handles installation of pkg files, DMG and ZIP files will NOT work. AppsToInstall=( "com.microsoft.outlook.standalone.365" "com.microsoft.word.standalone.365" "com.microsoft.powerpoint.standalone.365" "com.microsoft.onedrive.standalone" )
  3. Mark the script as executable by opening a Terminal session and using the chmod +x command. Assuming that you downloaded the script to ~/Downloads type:
    chmod +x ~/Downloads/installOfficeSuiteInidividualApps.sh​
  4. If possible, find a test device and copy the script across. Run it as root by typing:
    sudo ~/Downloads/installOfficeSuiteInidividualApps.sh​
  5. Open the Microsoft Endpoint Manager admin center and Devices > macOS > Shell Scripts > Add
  6. Enter a Name and Description and click Next.

    Creating a new custom macOS script in the MEM admin centerCreating a new custom macOS script in the MEM admin center
  7. Click in the file browse UI in the Upload script dialog and select the saved installOfficeSuiteInstallIndividualApp.sh file.
    1. Run script as signed-in user = No
    2. Hide script notifications on device = Not configured
    3. Script frequency = Not configured
    4. Set the Max number of retries to 3, Run and leave the rest as not configured.

      Custom macOS script - Script settings in the MEM admin centerCustom macOS script - Script settings in the MEM admin center
  8. Assign Scope Tags if you need them, click Next.
  9. Under "Required" click Add group and search for an appropriate group to target the script to.

    Custom macOS script - Assignment settings in the MEM admin centerCustom macOS script - Assignment settings in the MEM admin center
  10. Click Next, review, and then click Create to assign the script to the Azure AD group.
  11. The Intune script agent runs on an 8hr check-in cycle but can be manually triggered by the end user.
    1. Open the Company Portal app (sign-in if prompted).
    2. Select the device you are using.
    3. Click Check Settings under the ellipses menu.

      "Check status" location in the Company Portal for macOS"Check status" location in the Company Portal for macOS
    4. The script agent will check-in against the service and attempt to run the script.
  12. The script will log to this log file.
    /Library/Intune/Scripts/installOfficeSuiteIndividual/installOfficeSuiteIndividual.log​
  13. The Intune script agent itself creates a daily log in this location.
    /Library/Logs/Microsoft/Intune​

     

Advantages Disadvantages
  • Fastest install time.
  • Additional logging.
  • Can deploy either entire suite or individual apps.
  • Possible to cache the initial installation files on local webserver.
  • Possible to create a local MAU cache server for updates.
  • Includes the Microsoft Autoupdate (MAU) tool which can be configured via plist to auto update and deploy insider builds of Office for testing to some users (covered later).
  • Requires additional server infrastructure for caching.
  • Requires bash scripting skills.
  • Additional infrastructure complexity.

 

Controlling Microsoft 365 apps for Mac updates with Microsoft AutoUpdate (MAU)

If you are deploying Microsoft 365 Apps for Mac via the CDN (or script agent) you will notice that updates are handled via the Microsoft AutoUpdate tool. To see this, open any of the Office apps and click on Help > Check for Updates.

 

Screenshot of the Microsoft AutoUpdate (MAU) toolScreenshot of the Microsoft AutoUpdate (MAU) tool

In the Microsoft AutoUpdate menu, click Advanced to see the Update Channel and if the app is configured for Automatic Updates.

 

Screenshot of the Microsoft AutoUpdate (MAU) tool and Preferences optionsScreenshot of the Microsoft AutoUpdate (MAU) tool and Preferences options

The MAU tool can be configured by deploying Intune property lists. You can even control deadlines for individual app updates as described here. The complete list of available keys for MAU can be found here.

 

We have three common examples on our GitHub Repo:

 

Let’s look at these plist examples and how we might use them in a typical deployment where we have a mixture of standard users on the Current channel and a group of early adopters on Preview or Beta.

 

Note: More information on Office Insiders content for Mac can be found here.

 

Below is the plist for our production users. The important keys here are:

  • ChannelName: Tells MAU which version of Office to install
  • DisableInsiderCheckbox: Prevents the end user from changing the update channel
  • UpdateCache: Tells MAU where to look locally for updates (see MAU Cache)

 

 

<key>AcknowledgedDataCollectionPolicy</key> <string>RequiredAndOptionalData</string> <key>ChannelName</key> <string>Current</string> <key>UpdateCache</key> <string>http://192.168.68.150/MAU</string> <key>HowToCheck</key> <string>AutomaticDownload</string> <key>DisableInsiderCheckbox</key> <true/> <key>EnableCheckForUpdatesButton</key> <true/> <key>ExtendedLogging</key> <false/> <key>SendAllTelemetryEnabled</key> <true/> <key>StartDaemonOnAppLaunch</key> <true/> <key>UpdateCheckFrequency</key> <integer>720</integer>

 

 

 

The Beta plist is the same but with one exception:

  • ChannelName = Beta

 

 

<key>ChannelName</key> <string>Beta</string>

 

 

 

 

We would assign the property lists as follows:

  • Current Office 365 for Mac users
    • Assign com.microsoft.autoupdate2_current.plist to the same group that Office 365 Business application or deployment script was assigned to
    • Exclude your Beta Office 365 Business users group
  • Beta Office 365 for Mac users
    • Assign com.microsoft.autoupdate2_beta.plist to your Beta Office 365 Business users group

 

Steps to configure in Intune:

  1. Open the Microsoft Endpoint Manager admin center and Devices > macOS > Configuration Profiles > Create Profile > Preference File > Create.
  2. Set a Name and Description and click Next.
  3. Enter the preference domain name as: com.microsoft.autoupdate2
  4. Click on the file browser UI and select the current plist that you downloaded from our GitHub site. Then click Next.

    Microsoft AutoUpdate PLIST for Standard users - Preference file settingsMicrosoft AutoUpdate PLIST for Standard users - Preference file settings
  5. Assign Scope Tags if you need them, click Next.
  6. Under "Required" click Add group and search for the same group that you assigned Office 365 for Mac Pro to.
  7. Under "Excluded Groups" click Add group and search for the group(s) that you are going to assign the Beta and/or Preview plist to.

    Microsoft AutoUpdate PLIST for Standard users - Assignment settingsMicrosoft AutoUpdate PLIST for Standard users - Assignment settings
  8. Click Next, Review the content and then click Create.

    Now we have the ‘Current’ config deployed, let’s create one for our ‘Beta’ users.

  9. Click Devices > macOS > Configuration Profiles > Create Profile > Preference File > Create.
  10. Set a Name and Description and click Next.
  11. Enter the preference domain name as: com.microsoft.autoupdate2
  12. Click on the file browser UI and select the Beta plist that you downloaded from our GitHub site. Then click Next.
    Microsoft AutoUpdate PLIST for InsideFast users - Preference file settingsMicrosoft AutoUpdate PLIST for InsideFast users - Preference file settings
  13. Assign Scope Tags if you need them, click Next.
  14. Under "Required" click Add group and search for the group that you want to use to assign Microsoft 365 apps for macOS Beta channel to.
  15. Do not put anything in Excluded groups.
    Microsoft AutoUpdate PLIST for InsideFast users - Assignment settingsMicrosoft AutoUpdate PLIST for InsideFast users - Assignment settings
  16. Click Next, Review the content and then click Create
  17. Click Devices > macOS > Configuration Profiles > Search for "AutoUpdate" and you should have two Preference File policies, one for InsiderFast users and one for Standard.
    Configuration Profiles for macOS search result for "auto" in the MEM admin centerConfiguration Profiles for macOS search result for "auto" in the MEM admin center
  18. To check the configuration, trigger an MDM sync on a user’s device that is in the Current group and then repeat for another user in the Beta group. After sync the Microsoft AutoUpdate tool should reflect the changes.
  19. This is what a user in the Beta group should see once their device has completed it’s next MDM sync.
    Microsoft AutoUpdate (MAU) tool - Preference settingsMicrosoft AutoUpdate (MAU) tool - Preference settings
    Microsoft AutoUpdate (MAU) tool - Available updatesMicrosoft AutoUpdate (MAU) tool - Available updates
    Note: To troubleshoot MAU property list files look on the target machine under /Library/Managed Preferences for com.microsoft.autoupdate2.plist. If this file is present, it means that Intune has deployed the configuration.

  20. To check the contents of the deployed plist use the following commands:
    % cp /Library/Managed\ Preferences/com.microsoft.autoupdate2.plist ~/Desktop % plutil -convert xml1 ~/Desktop/com.microsoft.autoupdate2.plist % cat ~/Desktop/com.microsoft.autoupdate2.plist


    Once converted from binary to HTML the plist should look like it did in the original Intune plist.

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AcknowledgedDataCollectionPolicy</key> <string>RequiredAndOptionalData</string> <key>ChannelName</key> <string>Beta</string> <key>DisableInsiderCheckbox</key> <false/> <key>EnableCheckForUpdatesButton</key> <true/> <key>ExtendedLogging</key> <false/> <key>HowToCheck</key> <string>AutomaticDownload</string> <key>SendAllTelemetryEnabled</key> <true/> <key>StartDaemonOnAppLaunch</key> <true/> <key>UpdateCheckFrequency</key> <integer>720</integer> </dict> </plist>

     

  21. The Microsoft Autoupdate app generates a log file in the following location.
    /Library/Logs/Microsoft/autoupdate.log​

Summary

There are three ways to handle Microsoft 365 apps for macOS deployment with Intune. There are no right and wrong solutions here, each is applicable in certain circumstances.

 

Most environments should start with the Intune CDN method of deployment combined with a custom plist for the Microsoft AutoUpdate agent as described in this post. This method provides the best mixture of complexity, flexibility and is the easiest to support for most scenarios.

 

Deployment Method

Use when…

Apple Volume Purchase Plan (VPP)

  1. You have Apple Business Manager and you have deployed Apple Content caching.
  2. You don’t need to support Beta or Preview builds.
  3. You don’t need to ensure that the Microsoft 365 apps for macOS are up to date.

Intune CDN

  1. You want to deploy with the least amount of effort.
  2. Your network can cope with the initial download demands (1.8G per device).
  3. You want to ensure that the Microsoft 365 apps for macOS are updated reliably.
  4. You want to have some users on Beta or Preview for early adopter testing.
  5. You want to take advantage of Microsoft AutoUpdate cache locally.

Intune Scripting Agent

  1. Speed of download and install is important.
  2. You need additional logging.
  3. You want to locally cache the initial download.
  4. You want to take advantage of Microsoft AutoUpdate cache locally.
  5. You want to have some users on Beta or Preview for early adopter testing.
  6. You want to ensure that the Microsoft 365 apps for macOS are updated reliably.
  7. You want to deploy specific apps and not just the entire suite.
  8. You have some in-house bash scripting skills (or time to learn).

 

We’ll be writing more content for macOS over the remainder of this year, so feel free to let us know scenarios that you’d like us to cover.

 

Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.