Create a package installer for an application in Apple Business Essentials
You can create a package installer for an application that you can then add to Apple Business Essentials and deploy to users. If an application doesn’t have a package installer, it’s possible to use the tools built into macOS to create one for distribution. This is best done with applications that have a simple structure, such as those that are contained entirely within a single .app bundle, typically located in /Applications.
Sign your packages
Before you can create a package to distribute using Apple Business Essentials, you must have a cryptographic signing identity that’s trusted by your managed devices. This identity is used to verify who created a package and to verify that it hasn’t been altered after it was signed. If you’re a member of the Apple Developer Program, you can use your installer identity. See Sign your applications for Gatekeeper.
Create an installer identity
If you don’t have a signing identity, you can create one. The identity will have a name you choose and a random serial number to identify it (should you create more than one). If at any point these steps fail, close the Terminal window and open a new one. You must run these steps on a Mac with macOS 13 or later.
Create a folder on your Desktop named temp.
Open the Terminal app, then enter
cd
and press the Space bar once.Drag the temp folder into the Terminal app window.
You should see a path similar to:
cd /Users/[YourShortUserName]Desktop/packages
Press Return.
Enter
ID="name"
, where name is a short name for your organization. Don’t use spaces in the name without quotes. For example, My Company should be MyCo or “My Company” (with quotes).Press Return.
Important: All further commands must take place inside this window.
Paste in all the commands below, then press Return.
KEY="InstallerCertificate_${ID}_PrivateKey.pem"
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 \
-addext basicConstraints=critical,CA:false \
-addext keyUsage=critical,digitalSignature \
-set_serial "0x$(openssl rand -hex 4)" \
-subj "/CN=Installer Certificate ($ID)" \
-out InstallerCertificate_"$ID".pem \
-keyout "$KEY"
In the same Terminal window, paste in all the commands below, then press Return. Enter your password to set the new identity’s certificate as trusted.
security import "InstallerCertificate_$ID.pem"
security import "$KEY" \
-T /usr/bin/productbuild -T /usr/bin/pkgbuild
security add-trusted-cert -d InstallerCertificate_"$ID".pem
Open the temp folder to see your new certificate, named InstallerCertificate_name.pem, and its private key, named InstallerCertificate_name_PrivateKey.pem, where name is the name chosen earlier in step 4.
Keep a copy of the certificate for your records because it’s needed to configure devices to trust packages signed with it.
The private key has been imported into your keychain for secure storage and should be deleted from this folder.
Important: It’s important that you delete the certificate’s key so no one else can pretend to be from your organization and sign packages.
The identity expires one year after its creation. At that time you must follow this process again and re-sign any packages that were signed by the previous identity and are still being distributed. The RSA private key for your identity is saved in your keychain for security. If you need to build and sign packages on another Mac, you must export the private key for import on the other Mac.
Prepare your devices to trust your signing identity
After creating a signing identify, your devices must be configured to trust it. You can do this by distributing the identity’s certificate as a setting.
Retrieve the InstallerCertificate_name.pem for the identity, where name is the name chosen when creating it.
Follow the task Configure a Certificate setting, and assign it to all devices where you’re installing packages you create.
Important: Anyone who has the private key for a signing identity can create packages that configured devices trust without warning. Therefore if there’s any reason to believe the private key that matches the certificate has been lost or copied without authorization, you should delete the certificate setting and create a new signing identity.
Create a package for an application with a single bundle
After you have a signing identity that your devices are configured to trust, you can create packages with it so you can distribute apps to those devices. When you do, keep in mind that applications contained within a single .app bundle are the easiest to distribute.
Make sure the application is in your /Applications folder.
Create a folder on your Desktop named packages.
Open the Terminal app, then type
cd
and press the Space bar once.Drag the packages folder into the Terminal app window, then press Return.
You should see a path similar to:
$ /Users/[YourShortUserName]Desktop/packages
Enter
productbuild --sign
, then press the Space bar once.Add the name of your identity (where “name” is the name you entered in step 4 of the “Create an installer identity” task), press the Space bar once, type
--component
, then press the Space bar once again.Drag the application from /Applications into the Terminal window, then press the Space bar once.
Enter a name for the package, which must end in
.pkg
and which is generally the same name as the application.An example should look like this:
productbuild --sign MyCo --component /Applications/AppName AppName.pkg
Press Return.
The
productbuild
command prints information as it processes the application and builds the package in your packages folder.If this is the first time you’re using an identity you created, you may be prompted to enter your password to grant it permission to use the identity’s key. If so, enter your password and select Always Allow.
Quit the Terminal app.
Note: Packages signed with an identity created outside of the Apple Developer Program will be rejected unless they’re delivered by a mobile device management (MDM) solution to a managed device that’s already configured to trust the identity. If you attempt to install a package created by this method on other devices, the installation will fail.
Add the certificate to a setting
Apple devices must be configured to trust the new signing identity before the package can be sent to users to install the application.
Distribute the certificate. See Configure a Certificate setting.
After all devices have the new certificate, you can upload the package. See Create a package.