Microsoft Intune
This article provides step-by-step instructions to implement the App Catalog using Microsoft Intune.
Last updated 5 days ago
Requirements
Configuration Profile
Basic

This profile includes the required Notifications payload, Managed Login Item payload and PPPC payload.
Custom
Example<key>authorization</key>
<string>REDACTED</string>
<key>UpdateInterval</key>
<integer>1</integer>
<key>EnabledApps</key>
<array>
<dict>
<key>BundleID</key>
<string>nl.root3.support</string>
<key>Category</key>
<string>Utilities</string>
</dict>
<dict>
<key>BundleID</key>
<string>corp.sap.privileges</string>
<key>Category</key>
<string>Security</string>
</dict>
<dict>
<key>BundleID</key>
<string>com.google.Chrome</string>
<key>Category</key>
<string>Browsers</string>
</dict>
<dict>
<key>BundleID</key>
<string>com.microsoft.edgemac</string>
<key>Category</key>
<string>Browsers</string>
</dict>
</array>
Click Next, assign the users or devices and click Add
Supporting Configuration Profiles
macOS - App Catalog_Supporting_Profiles.json
11.8 KBβ’ Text


Automatically installing apps or make available in Company Portal
Upload apps directly to Intune (Admin Mode)
Catalog App in Admin Mode can upload an app as a PKG straight to your Intune tenant via the Microsoft Graph API, no need to download a package and create the app in Intune yourself.
What gets uploaded: the PKG is not the application itself. It's a small installer package that runs the Catalog Agent in a post-install script, which then downloads and installs the actual app on the device. This is the same mechanism as the Package deployment tool, so the app stays up to date and is sourced from App Catalog rather than bundled into a static package.
Requirements
An administrator with at least the Intune Administrator role
One-time admin consent for the App Catalog (Admin Mode) enterprise application (see below)
First-time setup and grant admin consent
Catalog App's Intune upload authenticates via OAuth 2.0 / OIDC with PKCE as a verified multi-tenant enterprise application (App Catalog (Admin Mode), published by Root3). It uses delegated permissions on behalf of the signed-in admin, not app-only access, requests only DeviceManagementApps.ReadWrite.All (plus sign-in basics), stores tokens in the macOS Keychain, and is fully revocable under Entra ID β Enterprise applications
The first time you use the upload button, an administrator signs in with their work/school account and grants consent once. You don't need to register anything in Entra ID or supply a client/tenant ID, sign-in is automatic to your own tenant.
After consent is granted, select an app in Admin Mode and choose Upload to Intune. The package is uploaded to your tenant and appears under Devices β macOS β macOS apps. On install, its post-install script invokes the Catalog Agent to install the app.


Package
Manually
Example#!/bin/zsh --no-rcs
# Install App Catalog when not installed yet
if [[ ! -f "/usr/local/bin/catalog" ]]; then
curl -sSL https://cdn.appcatalog.cloud/install_app_catalog.zsh | zsh
fi
# Install app
/usr/local/bin/catalog install "BUNDLE_IDENTIFIER"install_google_chrome.zsh
262 bytes
