Install macOS Roaming Client using Intune

Minetta Gould Community Team DNSFilter Staff

• October 14, 2024 20:02
• Edited

Follow this post to install the macOS Roaming Client via Intune, Microsoft's endpoint manager. 

What you need from DNSFilter 

1. Setup a network Site to associate with the agents. Make sure to assign the appropriate Filtering Policy and Block Page to the Site
2. The Site Secret Key (SSK) from the Roaming Client Install tab
3. Create the script below to download and install the macOS Roaming Client:

   #!/bin/sh
   
   curl  https://download.dnsfilter.com/User_Agent/MacOS/DNSFilter%20Agent-Installer.pkg -o /tmp/DNSFilter%20Agent-Installer.pkg
   
   cd /tmp && echo INSERTYOURSITESECRETKEYHERE > dns_agent_site_key && sudo installer -dumplog -pkg DNSFilter%20Agent-Installer.pkg -target /

4. Add the SSK to the script INSERTYOURSITESECRETKEYHERE line

Intune Specifications

Add the macOS Roaming Client following Microsoft's Shell Script instructions.

• Related to:
• Intune
• macOS Roaming Client Deployment

print

• 

  Jos Busby

  • October 16, 2024 13:36

  This method had previously worked in MacOS Sonoma but now either as result of MacOS Sequoia or the fact the package has been updated we face this issue. 

  "DNSFilter%20Agent-Installer.pkg was signed with a certificate that is not valid for store submission"

  0
• 

  Bailey Taylor Community Manager DNSFilter Staff

  • October 16, 2024 17:14

  

  Jos Busby The issue you’re encountering is due to new security settings in MacOS Sequoia, which now require a certificate for installation that Sequoia doesn't provide. To fix this, you’ll need to uninstall the latest version of DNSFilter and then reinstall 1.8.6, which should resolve the issue.

  Alternatively, you can manually push the update if that’s easier for your environment. Let us know if you need further assistance!

  0
• 

  Matt Stropoli

  • February 10, 2025 19:10

  Hey Bailey,  
  
  We are getting the following error on devices trying to install for the first time:
  
  installer: Note: running installer as an admin user (instead of root) gives better Mac App Store fidelity installer: Warning: DNSFilter%20Agent-Installer.pkg was signed with a certificate that is not valid for store submission. 
  installer: Installation Check: Passed 
  installer: Volume Check: Passed installer: Bundle com.dnsfilter.agent.macos will be installed to /Applications/DNSFilter Agent.app
  installer: Starting install 
  installer: Install 0.0% complete
  installer: Install failed: The install was canceled because the application integrity could not be verified.

  0
• 

  Bailey Taylor Community Manager DNSFilter Staff

  • February 11, 2025 16:47

  

  Hi Matt Stropoli, the installation issue you’re experiencing may be related to changes in macOS Sequoia, which affect how applications can be installed using the -store flag in the installer command. Apple has introduced new restrictions that prevent installations from proceeding when using this flag, which can lead to integrity verification failures.

  Workarounds & Next Steps:

  1. Modify the Installation Command:

     • Ensure that you've removed the -store option from the installer command:

       cd /tmp && echo ac796366624e3a6be0265570 > dns_agent_site_key && sudo installer -dumplog -pkg DNSFilter%20Agent-Installer.pkg -target /

     • Note: Removing -store will prompt the user to manually approve the SSL certificate installation, meaning it will no longer be a fully silent install.
  2. Pre-Install the SSL Certificate:
     • To ensure the installation proceeds smoothly, manually deploy the SSL certificate to the device before installing the agent.
     • You can download the SSL certificate from the DNSFilter Dashboard and deploy it using Intune or manually add it to the macOS Keychain.
     • Guide: Install SSL certificates to display a Block Page on HTTPS-based websites
  3. Upcoming Solution:
     • DNSFilter is working on an update to the roaming client that will only install SSL certificates if they are not already present.
     • This update will allow silent installations again when the SSL certificate is pre-installed.
     • While we don’t have an ETA yet, we will provide updates as soon as the new version is available!

  If you have any further questions or need additional assistance, feel free to reach out. Let us know if these steps help resolve the issue! 

  0
• 

  Matt Stropoli

  • February 11, 2025 21:29
  • Edited

  Thank you Bailey. I used your resources and created the following script that combines the SSL Cert pre-install and the package install. I was able to successfully deploy to my device via Intune and verified the cert installed correctly and my agent was updated to the latest 1.8.6 version! Providing the script in case anyone else is looking for a similar deployment:
  
  #!/bin/bash 
# Install the Certificate 
curl -sSL https://app.dnsfilter.com/certs/DNSFilter.cer -o /tmp/DNSFilter.cer 
sudo security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /tmp/DNSFilter.cer 

# Install the DNSFilter Agent (using original filename) 
curl -sSL https://download.dnsfilter.com/User_Agent/MacOS/DNSFilter%20Agent-Installer.pkg -o /tmp/DNSFilter%20Agent-Installer.pkg cd /tmp || exit 1 # Handle cd failure 
echo "Enter Site Key Here" > dns_agent_site_key 
sudo installer -dumplog -pkg "DNSFilter%20Agent-Installer.pkg" -target / # Use original filename with quotes 

# Clean up (optional but good practice) 
rm -f /tmp/DNSFilter.cer 
rm -f /tmp/DNSFilter%20Agent-Installer.pkg # Remove with original filename 
rm -f /tmp/dns_agent_site_key echo "Installation complete."

  3
• 

  Bailey Taylor Community Manager DNSFilter Staff

  • February 12, 2025 13:57

  

  Matt Stropoli I'm happy to hear it worked for you and thank you for adding additional insights to our documentation for other users!

  0

Please sign in to leave a comment.