Intune Configuration for Mac Agents

Successful installation of Microsoft Intune on Privilege Manager agents consist of the following steps:

Step 1 - Create Configuration Profiles in Intune

Step 2 - Verify Profile Delivery

Step 3 - Prepare the Pre-Install Script

Step 4 — Deploy the PKG via Intune

Step 5 - Verify Successful Deployment

Prior to configuration, refer to the required Prerequisites for Mac Intune Installation.

Step 1 - Create Configuration Profiles in Intune

Create four custom macOS configuration profiles. These grant the permissions required by the Delinea agent (system extensions, full disk access, notifications, accessibility/events).

These profiles are universal. They are identical for all customers and contain no tenant-specific configuration. They grant the Delinea agent the macOS system permissions it requires (system extensions, full disk access, notifications, accessibility).

Profile Creation

  1. Go to: https://intune.microsoft.com.

  2. At the Microsoft Intune admin center, select Devices | Manage devices | Configuration | Policies.

  3. Click Create | New Policy.

    Do NOT use the Import Policy (preview) option. That feature imports exported Intune policy JSON files. It does not accept .mobileconfig or .xml profile files. Uploading a .mobileconfig there will silently fail. You must use Create | New Policy Templates > Custom to upload configuration profiles.

  4. Specify the following parameters.

    Parameter Value
    Platform macOS
    Profile type Templates
    Template name Custom

Required Profiles

Create each of the following four profiles.

Profile Display Name Purpose
Privilege Manager White List Allows Delinea system extensions
Privilege Manager Full Disk Access Grants Full Disk Access to the agent daemon
Privilege Manager Notifications Allows notification prompts from the Privilege Manager GUI
Privilege Manager Events Grants Accessibility and Apple Events permissions

Profile Configuration Settings

Four required .mobileconfig files are provided here: Intune Profiles for Mac Agent. These profiles are identical for all customers. They contain only Delinea bundle identifiers and code signing requirements, with no tenant-specific configuration.

For each profile, configure the following in Intune:

  1. On the Basics tab, set the Name to the exact display name from the table above.

  2. On the Configuration settings tab, set the following parameters:

    CRITICAL: Deployment channel: Device channel

    Custom configuration profile name: Use the same name as the display name

    Configuration profile file: Upload the matching .mobileconfig file provided with this guide

The Deployment channel MUST be set to Device channel for all four profiles. These are system-level permissions (PPPC, system extensions) that apply to the device, not the user.

  1. On the Assignments tab: Assign to the device group containing your target Mac agents.

    Click Create. The profile XML source can also be found at Custom Configuration Profiles for Intune.

    The profile display name you set becomes part of the identifier Intune uses internally. The pre-install script expects names matching the pattern: www.windowsintune.com.custompayload.Privilege Manager [Name]. If you use different display names, the pre-install script will fail silently.

Step 2 - Verify Profile Delivery

Profile delivery is NOT instant. After assignment, it can take 30 seconds to several minutes. Do NOT proceed to PKG deployment until all four profiles are confirmed on the device.

Force a Sync

After creating and assigning all four profiles, force a device check-in with Option A or Option B.

  • Option A

    Open Company Portal on the Mac agent and click Check status.

  • Option B

    Enter the following command on the Mac:

    sudo profiles renew -type enrollment

If the above command returns a DEP enrollment error, your Mac was enrolled manually (e.g. via Company Portal) rather than through Automated Device Enrollment. In that case, use this command instead to trigger an MDM check-in:

sudo /usr/libexec/mdmclient QueryDeviceInformation

Verify Installed Profiles

  1. Enter the following command to list installed profiles.

    sudo profiles list -verbose 2>/dev/null | grep "attribute: name:"

    You should see all four Privilege Manager profiles listed alongside the Management Profile.

  2. Enter the following command for detailed verification (matches what the pre-install script checks).

    sudo profiles show -output stdout-xml | grep "www.windowsintune.com.custompayload.Privilege Manager"

    You should see four matching lines, one per profile.

If profiles don't appear, wait a few minutes and force another sync. In some environments, the default Intune check-in interval is eight hours. A manual sync via Company Portal or the command above is strongly recommended.

Step 3 - Prepare the Pre-Install Script

The pre-install script runs before the PKG installs. It performs two critical tasks. It verifies all four configuration profiles are present on the device, and creates the agent configuration file with your TMS URL and install code.

Copy the pre-script provided and replace the two placeholder values (< >):

  • Replace <your-instance> with your Privilege Manager cloud instance name (e.g., acmecorp).

  • Replace <region> with your Privilege Manager cloud region domain (e.g., .com, .eu, .com.au).

  • Replace <your-install-code> with the code from the Privilege Manager console: Admin | Agents | Installation Codes. The tmsBaseUrl must end with /Tms/ (including the trailing slash and capital T).

If the script exits 1 (profiles not found), the PKG installation will not proceed.

Copy

Pre-Install Script

#!/bin/bash
declare -a profileNames=(
    "www.windowsintune.com.custompayload.Privilege Manager Events"
    "www.windowsintune.com.custompayload.Privilege Manager Notifications"
    "www.windowsintune.com.custompayload.Privilege Manager Full Disk Access"
    "www.windowsintune.com.custompayload.Privilege Manager White List")
foundProfiles=0
for profileName in "${profileNames[@]}"; do
    if sudo profiles show -output stdout-xml | grep -qF -- "$profileName"; then
        echo "Profile with name '$profileName' is installed."
        ((foundProfiles+=1))
    else
        echo "Profile '$profileName' is not installed."
    fi
done
if [ $foundProfiles -eq ${#profileNames[@]} ]; then
    echo "All required profiles are installed."
    targetDirectory="/Library/Application Support/Delinea/Agent"
    agentConfigFile="$targetDirectory/agentconfig.json"
    /bin/mkdir -p "$targetDirectory"
    /bin/cat << EOF > "$agentConfigFile"
{"tmsBaseUrl": "https://<your-instance>.privilegemanagercloud.<region>/Tms/",
"installCode": "<your-install-code>",
"loginProcessingDelayS": 30, "validateServerCertificate": 0}
EOF
    sleep 5
    exit 0
else
    echo "Not all required profiles are installed."
    exit 1
fi

Step 4 — Deploy the PKG via Intune

At the Microsoft Intune admin center:

  1. Go to Apps | All Apps | Add.

  2. Select app type: macOS app (PKG).

  3. Click Select.

  4. Supply the following parameters as follows.

App Information

Select the DelineaManagementAgent PKG file

Name: Delinea Privilege Manager Agent

Publisher: Delinea
Program

CRITICAL: Pre-install script: Paste your customized pre-install script from Step 3 - Prepare the Pre-Install Script

Post-install script: Leave empty (not needed)
Detection Rules

Intune automatically detects the bundle IDs and versions from the uploaded PKG. No manual configuration is needed here.

Leave Ignore app version set to Yes.

The included apps list is auto-populated and should not be edited, with the EXCEPTION of com.thycotictms-agent Bundle ID. If com.thycotictms-agent Bundle ID is auto-populated, remove it.

Click Next.
Assignments

Assign to the same device group as the configuration profiles.

Only deploy the PKG to devices that already have all 4 configuration profiles installed. If the profiles haven't landed yet, the pre-install script will fail and the PKG will not install. Consider deploying the PKG after confirming profiles are on the device, or be prepared for the first install attempt to fail and retry at the next check-in.

  1. Click Create and monitor deployment status in Apps | Monitor | Device install status.

Step 5 - Verify Successful Deployment

Perform the following checks, using the commands indicated, to verify successful Deployment.

Check Command
Check Agent Processes

ps aux | grep -iE "pmcored|acsd" | grep -v grep

You should see pmcored and com.thycotic.acsd running.
Check LaunchDaemons

ls /Library/LaunchDaemons/ | grep delinea

You should see 7 daemons (pmcored, pmeventprocessord, pmeventuploaderd, etc.)
Check System Extension

systemextensionsctl list 2>&1 | grep thycotic

Should show com.thycotic.acsd as [activated enabled].
Check Agent Registration

  • sudo cat "/Library/Application Support/Delinea/Agent/agentconfiguration.json

  • Should contain a platformId, agentId, and baseUrl matching your TMS URL. If this file exists with these values, the agent has successfully registered.

    • agentconfig.json is the input file created by the pre-install script, and agentconfiguration.json is generated by the agent after successful registration.

    In the Privilege Manager Console, navigate to Admin | Agents (or Computers).

    The Mac agent should appear as a registered endpoint within a few minutes.