I am running into a roadblock with an internal macOS deployment and could use some advice. Our development team just provided an in-house testing application packaged as a standard, unsigned .dmg file. They’ve asked me to deploy it silently to our remote macOS fleet.
I initially tried to push the file out using hexnode, but the deployment consistently hangs or fails on the endpoint.
Does hexnode natively support deploying unsigned DMGs? If not, what is the standard workaround here? I’ve looked into pushing the installation via a bash script, but I’ve read that scripting the deployment of an unsigned dmg is notoriously difficult due to macOS security restrictions. Has anyone successfully navigated this?
This is a very common scenario when working with internal development teams.
To answer your first question: Hexnode cannot natively deploy unsigned DMG or PKG files through the standard app deployment policies. This is actually an Apple MDM protocol and Gatekeeper limitation, not a Hexnode-specific one. macOS will inherently block the silent installation of an unsigned binary because it cannot verify the developer identity.
You are also correct that scripting a DMG deployment is a headache. You would have to script the mounting of the virtual drive (hdiutil), copy the .app to the Applications folder, manually strip the Apple quarantine flags (xattr -rc), and unmount the drive. It is highly prone to failure.
The Workaround: The most reliable method is to convert the .app from the DMG into a PKG file and then deploy that unsigned PKG using Hexnode’s Execute custom script remote action.
Convert to PKG: Mount the DMG on your local Mac, move the .app to your Applications folder, and use Apple’s native Terminal command to repackage it:
Host the file: Upload that newly created .pkg to a secure cloud storage location that can generate a direct download link.
Deploy via Script: Hexnode has a standard script in their repository for deploying unsigned packages. You run a bash script via Hexnode that uses curl to download the PKG to a temporary folder and then installs it. Here is the script you will need:
Scripts to deploy unsigned PKG on Mac
1
2
curl-o/tmp/.pkg"download_URL"
sudo installer-verboseR-pkg/tmp/test.pkg-target/
Because the hexnode executes the script with root privileges, it bypasses the standard MDM gatekeeper checks and forces the installation.
I avoided the hdiutil route entirely, used productbuild to generate the Pkg, and hosted it on our internal AWS S3 bucket. I just pushed the script via hexnode’s remote actions, and the app installed silently on my test machine without triggering any Gatekeeper prompts.
As a quick follow-up, is this script method considered a viable long-term strategy for deploying these internal tools?
To answer your follow-up: No, I wouldn’t recommend relying on this as a long-term strategy. While the root script workaround is effective for getting testing tools out the door quickly, it circumvents macOS security protocols. Apple is also consistently tightening background installation rules with every OS release, so there is no guarantee this method won’t be restricted in the future.
The best practice is to require your development team to export a Developer ID Installer certificate from their Apple developer account and sign the package before handing it over to IT.
Once the application is properly signed, you completely eliminate the need for custom scripts and hosting. You can simply upload the signed .pkg directly to the Hexnode app inventory and deploy it via a standard required apps policy. I usually set the expectation with devs that unsigned apps are strictly for small-scale testing, and production releases must be signed.
16 Views
