Deploying XDR Agent for Mac with InTune

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deploying XDR Agent for Mac with InTune

L0 Member

Hi all,


We're trying to bring our few Macs into the systems management fold, and being a Microsoft shop we want to use InTune to manage them.


Most Mac packages install files and then are configured in a separate set of commands after install. The XDR Mac client needs the config.xml file in place beside the Cortex XDR.pkg file when installing. I've tried creating a package (using the 'Packages' app) with the xml and pkg files in it and then running a postinstall script as part of that package to kick off the Cortext install using 'installer' as a bash command - but although the files get deployed the Coretex client never gets installed.


Am I going about this the wrong way? Is there a way of modifying the Coretex XDR.pkg file to embed the Config.xml bits inside it so I can just deploy that package directly?


Has anyone successfully deployed this client using InTune?


Any help would be gratefully received.




L0 Member

Also having the same issue - documentation is just covering the extension portion and not the package/xml files. 


What's the right solution here? I've currently got agents installed with error code 307, can't connect. 

L0 Member


Did someone try to use ICEBERG?

1. We are aware that in terms of package deployment these applications only support packages (*.pkg) and metapackages (*.mpkg)There is a constraint here, but we can be work around that taking advantage of how packages work on macOS system (see additional information section for package definition)
2. We are also aware that some applications, such as Apple Remote Desktop for instance (there may be others), also have the capabilities of copying files and running UNIX commands targeting multiple machines, which can also be leveraged to workaround the problem

- Both packages and metapackages support containing multiple embedded packages inside the main package
- This allows us to create a new package, that will contain both "Traps.pkg" and "Servers.xml"/"Config.xml" inside a single container
- Deployment of the package to your entire macOS environment on a simple package is possible in this way
- Several package creation applications for macOS are available that will facilitate this process.
- "Iceberg" application was chosen for this reference documentation, as it's free (and with BSD license)
- Other applications can be used as PackageMaker or any other at your disposal

1.1. Create new package:
- Install Iceberg and open the application
- Create new project
- Select Darwin package
- Give name to the project
NOTE: project name (which later will be the package name) cannot have spaces in it. Packages with empty spaces do not work and will fail, as you can see on the screenshot attached ("PackageNameBroken.png").
- Select Scripts tab
- Check postflight script, choose the selected script file as per 1.2 below
- Add "Traps.pkg" and "Config.xml" to additional resources
- You can edit the others tab if wanted, although not required
- Build
- Package is ready on the project folder
- You can upload the package to the macOS deployment applications

1.2. Script file:
- Script will just point to the package to install, the sub-package embedded inside the main package, "Traps.pkg"
- No file extension
- cannot be used to create or edit the file
- File content:
"#! /bin/sh

sudo installer -dumplog -verbose -pkg $1/Contents/Resources/Traps.pkg -target /"
- Open terminal
- Run command "vi postflight"
- Editor opens with new created file
- Press G (uppercase G)
- Press A (uppercase A)
- Paste file content
- Press escape
- Type ":wq" (write and quit)
- Script is created
- Run command "sudo chmod 777 postflight" and enter password
- This will give the file run permissions

2.1. Apple Remote Desktop copy + UNIX features:
- Copy "Traps.pkg" and "Config.xml" and script to a location on all needed endpoints
- Should be possible to place them on a folder and copy the folder with the 3 files
- Run the UNIX Command to all needed endpoints
- Command is "sudo ./postflight"

2.2. Script file:
- Script will install "Traps.pkg"
- No file extension
- cannot be used to create or edit the file
- File content:
"#! /bin/sh

sudo installer -dumplog -verbose -pkg ./Traps.pkg -target /"
- Open terminal
- Run command "vi postflight"
- Editor opens with new created file
- Press G (uppercase G)
- Press A (uppercase A)
- Paste file content
- Press escape
- Type ":wq" (write and quit)
- Script is created
- Run command "sudo chmod 777 postflight" and enter password
- This will give the file run permissions

Scripts for case 1 and 2 are attached for reference, file named "". please feel free to modify or create yours if needed.

A video recording of the full tutorial following the instructions exactly as detailed above is attached to this article, file named "TrapsMacOsPackagingIceberg.mp4". This might help to clarify any doubts or follow the procedure more closely.

Additional Information
Please note that Palo Alto Networks does not enforce any specific software distribution tool, and it's each customer's decision to opt for the best tool for their environment. We provide the installation package and the config XML file, and with this data you can do everything that is needed to install Traps.

Palo Alto Networks engineers are not expected or required to hold knowledge on how every software distribution tool works, since we don't support any 3rd party products.  That said, each customer should be responsible for the decisions in terms of the deployment solutions and related implementations. 

Package Definition:
Package is a file system directory abstraction. We can also define it as a container that encapsulates all the daemons, kexts (short for kernel extension, aka kernel drivers in Windows), config files, launching agents and daemons, any direct dependencies (libraries) and possible needed scripts for pre or post installation.

- Additional information on macOS packages @
- Additional information on encapsulation @

As a learning experience:
- Grab any macOS package file (*.pkg)
- Rename it to *.zip
- Extract it to some location/folder
- You will probably see a single extracted file named "Payload~" or "Payload". Maybe not, and you will see another package files (*.pkg) and config files (*.xml), etc - which is the exact kind of package embedding we did to resolve this initial problem described on this KB. It that is the case, start the procedure again on new packages.
- Once again rename "Payload~" to "" and extract it again
- You will probably see now the files mentioned above that are the content of the application. You might also see directly the application (*.app)
- On some cases you might have to repeat the renaming and extraction process 1 or 2 more times depending on the level of the encapsulation donr

About Iceberg:
(extracted from their official website @

Iceberg is an Integrated Packaging Environment (IPE) that allows you to create packages or metapackages conforming to the Mac OS X specifications.
With Iceberg, you can quickly create your installation packages using a graphic user interface similar to your favorite development tools.
Iceberg can also be useful for Administrators who want to gather in a metapackage numerous packages for remote distribution via Apple Remote Desktop.

- Additional information on Iceberg @
- Screenshots of all the application's views @

@MMoskovich next time, please quote your sources.

Traps macOS Deployment: How to Build Custom Packages for Microsoft InTune, AirWatch, Apple Remote De... 


Iceberg is no longer supported on new macOS versions, but there are other apps out there like "Packages" that work similarly. A 2nd option is to deploy only the package and then push a script that will connect the agents to the right tenant:

echo Password1|/Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool reconnect force <packageDistributionID>; sleep 5; /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool checkin


L0 Member

@poliveira : 2nd Option ist working for us for MacOS up to Version 11. Awesome, Thank You!

But i try to figure out how does it work with the 1st Option "Packages". I spend a lot of days for trying but it doesn´t work with packages. I am a rookie in Packages, maybe i make mistakes but i tried to mirrow the stuff from the tutorial Iceberg to packages.

Please, would you be so kind and give a step by step Introduction for "Deploy Cortex XDR agent for macOS with Packages for Intune"? I think a lot of people will be very thankfull for that help. 


Thanks and many Greetings!


Hey all,

I have the same problem.
It would be nice if there were such detailed instructions.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!