Install macOS Roaming Client using Intune
đ¨ Important: Due to security changes in macOS Sequoia (OS 15), the instructions on this page may no longer apply to Roaming Client version 2.2.0 and above. These methods are no longer officially supported.
If you've successfully deployed the macOS Roaming Client v2.2.0+ using an RMM or MDM tool under these new conditions, we encourage you to share your steps in the Community to help others navigating similar setups.
Follow this post to install the macOS Roaming Client via Intune, Microsoft's endpoint manager.Â
What you need from DNSFilterÂ
- Setup a network Site to associate with the agents. Make sure to assign the appropriate Filtering Policy and Block Page to the Site
- The Site Secret Key (SSK) from the Roaming Client Install tab
- Create the script below to download and install the macOS Roaming Client:#!/bin/sh
curl https://download.dnsfilter.com/User_Agent/MacOS/DNSFilter%20Agent-Installer.pkg -o /tmp/DNSFilter%20Agent-Installer.pkg
cd /tmp && echo INSERTYOURSITESECRETKEYHERE > dns_agent_site_key && sudo installer -dumplog -pkg DNSFilter%20Agent-Installer.pkg -target / -
Add the SSK to the script
INSERTYOURSITESECRETKEYHERE
line
Intune Specifications
Add the macOS Roaming Client following Microsoft's Shell Script instructions.
-
This method had previously worked in MacOS Sonoma but now either as result of MacOS Sequoia or the fact the package has been updated we face this issue.Â
"DNSFilter%20Agent-Installer.pkg was signed with a certificate that is not valid for store submission"
0 -
Jos Busby The issue youâre encountering is due to new security settings in MacOS Sequoia, which now require a certificate for installation that Sequoia doesn't provide. To fix this, youâll need to uninstall the latest version of DNSFilter and then reinstall 1.8.6, which should resolve the issue.
Alternatively, you can manually push the update if thatâs easier for your environment. Let us know if you need further assistance!
0 -
Hey Bailey, Â
We are getting the following error on devices trying to install for the first time:
installer: Note: running installer as an admin user (instead of root) gives better Mac App Store fidelity installer: Warning: DNSFilter%20Agent-Installer.pkg was signed with a certificate that is not valid for store submission.Â
installer: Installation Check: PassedÂ
installer: Volume Check: Passed installer: Bundle com.dnsfilter.agent.macos will be installed to /Applications/DNSFilter Agent.app
installer: Starting installÂ
installer: Install 0.0% complete
installer: Install failed: The install was canceled because the application integrity could not be verified.0 -
Hi Matt Stropoli, the installation issue youâre experiencing may be related to changes in macOS Sequoia, which affect how applications can be installed using the
-store
flag in theinstaller
command. Apple has introduced new restrictions that prevent installations from proceeding when using this flag, which can lead to integrity verification failures.Workarounds & Next Steps:
-
Modify the Installation Command:
-
Ensure that you've removed the
-store
option from the installer command:cd /tmp && echo ac796366624e3a6be0265570 > dns_agent_site_key && sudo installer -dumplog -pkg DNSFilter%20Agent-Installer.pkg -target /
- Note: Removing
-store
will prompt the user to manually approve the SSL certificate installation, meaning it will no longer be a fully silent install.
-
-
Pre-Install the SSL Certificate:
- To ensure the installation proceeds smoothly, manually deploy the SSL certificate to the device before installing the agent.
- You can download the SSL certificate from the DNSFilter Dashboard and deploy it using Intune or manually add it to the macOS Keychain.
- Guide: Install SSL certificates to display a Block Page on HTTPS-based websites
-
Upcoming Solution:
- DNSFilter is working on an update to the roaming client that will only install SSL certificates if they are not already present.
- This update will allow silent installations again when the SSL certificate is pre-installed.
- While we donât have an ETA yet, we will provide updates as soon as the new version is available!
If you have any further questions or need additional assistance, feel free to reach out. Let us know if these steps help resolve the issue!Â
0 -
Modify the Installation Command:
-
Thank you Bailey. I used your resources and created the following script that combines the SSL Cert pre-install and the package install. I was able to successfully deploy to my device via Intune and verified the cert installed correctly and my agent was updated to the latest 1.8.6 version! Providing the script in case anyone else is looking for a similar deployment:
#!/bin/bashÂ
# Install the CertificateÂ
curl -sSL
https://app.dnsfilter.com/certs/DNSFilter.cer
-o /tmp/DNSFilter.cerÂ
sudo security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /tmp/DNSFilter.cerÂ
# Install the DNSFilter Agent (using original filename)Â
curl -sSL
https://download.dnsfilter.com/User_Agent/MacOS/DNSFilter%20Agent-Installer.pkg
-o /tmp/DNSFilter%20Agent-Installer.pkg cd /tmp || exit 1Â # Handle cd failureÂ
echo "Enter Site Key Here" > dns_agent_site_keyÂ
sudo installer -dumplog -pkg "DNSFilter%20Agent-Installer.pkg" -target / # Use original filename with quotesÂ
# Clean up (optional but good practice)Â
rm -f /tmp/DNSFilter.cerÂ
rm -f /tmp/DNSFilter%20Agent-Installer.pkg # Remove with original filenameÂ
rm -f /tmp/dns_agent_site_key echo "Installation complete."
3 -
Matt Stropoli I'm happy to hear it worked for you and thank you for adding additional insights to our documentation for other users!
0
Please sign in to leave a comment.
Comments
6 comments