Error seen on while Installing SASE client on MacOS with MS-Intune:



This is a known issue related to MDM, and the limitation is from Intune. Please refer to the following procedure for distributing the client via Intune-based MDM:

Intune based mdm distribution - SASE Client Mac OSx

To distribute a SASE (Secure Access Service Edge) client to macOS devices using Microsoft Intune (MDM), you can follow a structured approach based on whether the SASE vendor provides a .pkg installer or requires configuration profiles. Here's a step-by-step overview to deploy a SASE client.

 

 

 

 

Go to Intune Admin Center https://intune.microsoft.com Navigate to:

Apps macOS + Add

Choose:

 App typemacOS app (PKG)

Upload your .pkg file. Fill in:

 App Information (name, publisher, version, etc.)

 Minimum macOS version

Under Assignments, choose:

 Groups (devices/users) to install to

 Whether install is Required, Available, or Uninstall

Click Create to finalize.

 

 

Step 1: Please use pkg formate




Step 2: Fill in the package details







Step 3: 



Pre-install script – its mandatory if we need to clean up the existing installation.



#!/bin/sh
echo "Cleanup Log: Removing Sase Main App"
VersaApp='/Applications/Versa SASE Client.app'
if [ -d "$VersaApp" ]; then
rm -rf '/Applications/Versa SASE Client.app'
fi
echo "Cleanup Log: Removing versa.conf file"
rm -rf /private/var/conf/versa/*

 

echo "Cleanup Log: Removing from /etc/versa.conf file"
rm -rf /private/var/conf/

 

echo "Cleanup Log: Removing versa Log files"
rm -rf /private/var/log/versa/

 

echo "Cleanup Log: Removing versa Software files"
rm -rf /private/var/versa/

 

echo "Cleanup Log: Removing NewSyslog Software files"
grep -v "private/var/log/versa/" /etc/newsyslog.conf > /tmp/tnewsyslog
mv /tmp/tnewsyslog /etc/newsyslog.conf

 

echo "Cleanup Log: Removing Files from /Users/Shared Folder"
rm -rf /Users/Shared/EIP/
rm -rf /Users/Shared/TrustedConnection.png
rm -rf /Users/Shared/versa.png
rm -rf /Users/Shared/sentinelOne.sh
rm -rf waDiagnose*

 

echo "Cleanup Log: Unloading LaunchDaemeons Files"
launchctl unload /Library/LaunchDaemons/com.versa.*
rm -rf /Library/LaunchDaemons/com.versa.*

 

echo "Cleanup Log: Unloading LaunchAgents Files"
launchctl unload /Library/LaunchAgents/com.versa.*
rm -rf /Library/LaunchAgents/com.versa.*

 

echo "Cleanup Log: Unloading preferences Files"
rm -rf ~/Library/Preferences/com.versa.*

 

echo "Cleanup Log: Killing Versa Sase Client related process."
kill -9 $(pgrep SaseClientWebsockets)
kill -9 $(pgrep VSATrayApp)
kill -9 $(pgrep Versa Sase Client)



 

Post install Script -  its mandatory to set the permission.

 

#!/bin/sh
a=1
while [ $a -le 5 ]
do
VersaApp='/Applications/Versa SASE Client.app'
if [ -d "$VersaApp" ]; then
kill -9 $(pgrep VSATrayApp) $(pgrep 'Versa SASE Client') $(pgrep 'SaseClientWebsockets') 2>/dev/null
sleep 2
open '/Applications/Versa SASE Client.app/Contents/VSATrayApp.app'
echo "Restarted Versa SASE Client successfully."
break # Exit the loop on success
fi
sleep $((a * 10))
a=$((a + 1))
done

 


Step 4 - Select the only bundle identifier





Step 5: - Add the required groups





Step 6: Review and create






Step 7: Upload the profiler for auto download/config using the atatched sample profiler(.mobileConfig)