Documentation · MDM runbook

Microsoft Intune runbook

Managed deployment

Deploy BeProof on macOS via Intune device configuration and line-of-business apps.

Prerequisites: Intune licensed for macOS, macOS 14+ Apple Silicon, .pkg or .dmg LOB package.


1. Package the app

Build a signed PKG (recommended for silent install):

./scripts/build_mdm_pkg.sh \
  --app dist/app/BeProofApp.app \
  --version 1.0.5 \
  --output BeProofApp-macos.pkg \
  --signing-identity "Developer ID Installer: Your Org (TEAMID)"

2. Add line-of-business app

  1. Microsoft Intune admin centerAppsAll appsCreate
  2. Select macOS app (PKG) or macOS app (DMG)
  3. Upload BeProofApp-macos.pkg
  4. Set bundle ID: com.beproof.app
  5. Assign to a Pilot device group

Install behavior: Required for pilot, Available for broader rollout after validation.


3. PPPC configuration profile

  1. DevicesmacOSConfigurationCreate profile
  2. Platform: macOS, Profile type: TemplatesCustom (or Privacy Preferences where available)
  3. Upload signed com.beproof.app.pppc.mobileconfig
  4. Assign to the same pilot group before or with the app install

See PPPC.md for template customization.


4. Org-policy overlay via shell script

Intune Shell scripts (macOS):

  1. DevicesmacOSScriptsAdd
  2. Run script as Administrator
  3. Example:
#!/bin/bash
set -euo pipefail
ORG_DIR="/Library/Application Support/BeProof"
mkdir -p "$ORG_DIR"
cat > "$ORG_DIR/org-policy-overlay.json" <<'EOF'
{
  "version": "1.0",
  "orgPolicyId": "YOUR-ORG-ID",
  "approvedScanRoots": ["~/Projects"],
  "requiredSources": ["declared", "granted"],
  "requiredCloudConnectors": [],
  "runtimeTelemetryRequired": false,
  "approvedGrantScopes": {}
}
EOF
chmod 644 "$ORG_DIR/org-policy-overlay.json"

Assign script to pilot group. Prefer hosting JSON in your repo and curling with integrity check for production.

Target path:

/Library/Application Support/BeProof/org-policy-overlay.json

5. Verification

beproof verify-install --app /Applications/BeProofApp.app --format json
beproof evaluate-policy --format json | jq '{auditMode, scanScopeSource, orgPolicyId}'

Use Intune Device health / script return codes: 0 = overlay script success.


6. CLI distribution (optional)

Deploy CLI separately via script:

brew tap oxy9en/beproof https://github.com/oxy9en/AgAudit-releases
brew install beproof

Note: CLI inherits Terminal TCC — document in runbook if operators use CLI for keychain-inclusive scans.

See also: deploy README