Install macOS Roaming Client using Intune

Minetta Gould Community Team

DNSFilter Staff

June 09, 2025 16:41
Edited

🚨 Important: Due to security changes in macOS Sequoia (OS 15), the instructions on this page may no longer apply to Roaming Client version 2.2.0 and above. These methods are no longer officially supported.

If you've successfully deployed the macOS Roaming Client v2.2.0+ using an RMM or MDM tool under these new conditions, we encourage you to share your steps in the Community to help others navigating similar setups.

Follow this post to install the macOS Roaming Client via Intune, Microsoft's endpoint manager.

What you need from DNSFilter

Setup a network Site to associate with the agents. Make sure to assign the appropriate Filtering Policy and Block Page to the Site
The Site Secret Key (SSK) from the Roaming Client Install tab
Create the script below to download and install the macOS Roaming Client:#!/bin/sh

curl https://download.dnsfilter.com/User_Agent/MacOS/DNSFilter%20Agent-Installer.pkg -o /tmp/DNSFilter%20Agent-Installer.pkg

cd /tmp && echo INSERTYOURSITESECRETKEYHERE > dns_agent_site_key && sudo installer -dumplog -pkg DNSFilter%20Agent-Installer.pkg -target /
Add the SSK to the script INSERTYOURSITESECRETKEYHERE line

Intune Specifications

Add the macOS Roaming Client following Microsoft's Shell Script instructions.

Comments

6 comments

Jos Busby

October 16, 2024 13:36
This method had previously worked in MacOS Sonoma but now either as result of MacOS Sequoia or the fact the package has been updated we face this issue.

"DNSFilter%20Agent-Installer.pkg was signed with a certificate that is not valid for store submission"
0
Bailey Taylor Community Manager DNSFilter Staff

October 16, 2024 17:14
Jos Busby The issue you’re encountering is due to new security settings in MacOS Sequoia, which now require a certificate for installation that Sequoia doesn't provide. To fix this, you’ll need to uninstall the latest version of DNSFilter and then reinstall 1.8.6, which should resolve the issue.

Alternatively, you can manually push the update if that’s easier for your environment. Let us know if you need further assistance!
0
Matt Stropoli

February 10, 2025 19:10
Hey Bailey,

We are getting the following error on devices trying to install for the first time:

installer: Note: running installer as an admin user (instead of root) gives better Mac App Store fidelity installer: Warning: DNSFilter%20Agent-Installer.pkg was signed with a certificate that is not valid for store submission.
installer: Installation Check: Passed
installer: Volume Check: Passed installer: Bundle com.dnsfilter.agent.macos will be installed to /Applications/DNSFilter Agent.app
installer: Starting install
installer: Install 0.0% complete
installer: Install failed: The install was canceled because the application integrity could not be verified.
0
Bailey Taylor Community Manager DNSFilter Staff

February 11, 2025 16:47
Hi Matt Stropoli, the installation issue you’re experiencing may be related to changes in macOS Sequoia, which affect how applications can be installed using the -store flag in the installer command. Apple has introduced new restrictions that prevent installations from proceeding when using this flag, which can lead to integrity verification failures.
Workarounds & Next Steps:
1. Modify the Installation Command:
  
  Ensure that you've removed the -store option from the installer command:
  
  cd /tmp && echo ac796366624e3a6be0265570 > dns_agent_site_key && sudo installer -dumplog -pkg DNSFilter%20Agent-Installer.pkg -target /
  
  Note: Removing -store will prompt the user to manually approve the SSL certificate installation, meaning it will no longer be a fully silent install.
2. Pre-Install the SSL Certificate:
  
  To ensure the installation proceeds smoothly, manually deploy the SSL certificate to the device before installing the agent.
  
  You can download the SSL certificate from the DNSFilter Dashboard and deploy it using Intune or manually add it to the macOS Keychain.
  
  Guide: Install SSL certificates to display a Block Page on HTTPS-based websites
3. Upcoming Solution:
  
  DNSFilter is working on an update to the roaming client that will only install SSL certificates if they are not already present.
  
  This update will allow silent installations again when the SSL certificate is pre-installed.
  
  While we don’t have an ETA yet, we will provide updates as soon as the new version is available!
If you have any further questions or need additional assistance, feel free to reach out. Let us know if these steps help resolve the issue!
0
Matt Stropoli

February 11, 2025 21:29

Edited
Thank you Bailey. I used your resources and created the following script that combines the SSL Cert pre-install and the package install. I was able to successfully deploy to my device via Intune and verified the cert installed correctly and my agent was updated to the latest 1.8.6 version! Providing the script in case anyone else is looking for a similar deployment:

#!/bin/bash
# Install the Certificate
curl -sSL https://app.dnsfilter.com/certs/DNSFilter.cer -o /tmp/DNSFilter.cer
sudo security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /tmp/DNSFilter.cer

# Install the DNSFilter Agent (using original filename)
curl -sSL https://download.dnsfilter.com/User_Agent/MacOS/DNSFilter%20Agent-Installer.pkg -o /tmp/DNSFilter%20Agent-Installer.pkg cd /tmp || exit 1 # Handle cd failure
echo "Enter Site Key Here" > dns_agent_site_key
sudo installer -dumplog -pkg "DNSFilter%20Agent-Installer.pkg" -target / # Use original filename with quotes

# Clean up (optional but good practice)
rm -f /tmp/DNSFilter.cer
rm -f /tmp/DNSFilter%20Agent-Installer.pkg # Remove with original filename
rm -f /tmp/dns_agent_site_key echo "Installation complete."
3
Bailey Taylor Community Manager DNSFilter Staff

February 12, 2025 13:57
Matt Stropoli I'm happy to hear it worked for you and thank you for adding additional insights to our documentation for other users!
0