Category filter

How to convert APP to PKG for enterprise app distribution

At a Glance

In macOS enterprise environments, a standalone .app bundle is not natively designed for zero-touch, silent distribution. Converting a local .app bundle to a flat .pkg (Package) installer is a critical packaging step that transforms a manual, drag-and-drop user action into a scriptable, deployable payload. Creating a PKG ensures the application is installed in a standardized path (typically /Applications), secures the app with system-level ownership so standard users cannot modify or delete it, and provides the exact file format required by Hexnode UEM to push software silently to macOS fleets at scale.

APP vs DMG vs PKG vs MPKG

Understanding macOS software distribution formats is essential before preparing an app for MDM deployment.

Format What it is Best for Enterprise deployment note
APP macOS Application Bundle (Directory disguised as a file) Direct execution Cannot be directly pushed via MDM; requires packaging.
DMG Disk Image (Virtual mountable disk) Consumer distribution Requires user interaction (drag-and-drop); poor for silent UEM pushes.
PKG Flat Package Installer (Archive containing payload and scripts) Automated, scriptable installs The gold standard and required format for silent Hexnode UEM distribution.
MPKG Metapackage (Contains multiple nested PKG files) Legacy complex software suites Deprecated for modern MDM; use distribution XML with flat PKGs instead.

When Should You Convert APP to PKG?

  • When you need to execute silent, zero-touch installations across a fleet of Macs.
  • To strictly enforce the installation path to /Applications, preventing users from running apps from their Downloads folder.
  • To block manual user interaction, eliminating the need for “drag-to-install” splash screens.
  • To ensure the deployment is fully auditable and trackable within the Hexnode UEM console.

When a Simple Wrapper is Insufficient

A basic conversion using productbuild simply takes the .app directory bundle and drops it into the /Applications folder. However, complex enterprise software often consists of more than just the main application bundle. A simple wrapper fails when an application also needs to install auxiliary files across different system directories or requires:

  • Pre-install or post-install scripts (e.g., injecting a license key or cleaning up old versions).
  • Deployment of LaunchDaemons or LaunchAgents for background persistence.
  • Installation of System Extensions or kernel components.
  • Privacy Preferences Policy Control (PPPC) or Full Disk Access permissions (which must be handled via Hexnode Configuration Profiles, not the PKG itself).

macOS Packaging Tools Comparison

Tool Best Use Notes
productbuild –component Simple APP to PKG wrapping Built natively into macOS; best for standalone, scriptless apps.
pkgbuild Creating component packages Ideal for payloads containing non-app files or requiring scripts.
productbuild (with XML) Combining multiple PKGs Uses a distribution XML file to dictate complex installation logic.
Packages (GUI) Visual package creation A free, community-standard GUI tool for managing complex deployments.
AutoPkg Automated patch management Automatically pulls, builds, and uploads packages to your management system.
munkipkg Git-friendly packaging A command-line tool utilizing YAML/plist configurations for version control.

Convert APP to PKG Using productbuild

The native macOS productbuild command is the fastest way to convert a simple application bundle into an installer package.

Open Terminal and execute the following command:

Command Breakdown:

  • --component "/Applications/Sample App.app": The source path of the .app bundle to package.
  • "/Applications": The exact destination path where the PKG will install the app on the target endpoint.
  • "$HOME/Desktop/Sample App.pkg": The output path and file name for your newly generated package.

Validate the Generated PKG

Before uploading any package to Hexnode, administrators must validate its structure and test its execution locally.

Check the Package Signature:

Expand and Inspect the Payload:

Use this to verify the internal file structure of the PKG without installing it.

Test Silent Installation Locally:

This simulates exactly how the MDM agent will execute the package.

Sign the PKG Before Deployment

To bypass Apple’s Gatekeeper and ensure a smooth, silent installation via MDM, packages should be signed using an Apple Developer Developer ID Installer certificate.

Code signing verifies your identity as the administrator and ensures the package payload has not been tampered with since creation.

For a comprehensive, step-by-step guide on acquiring the certificates and signing your package using the terminal, refer to the official Hexnode guide: How to sign macOS PKG files for deployment with Hexnode MDM.

Simple APP-to-PKG Conversion vs. Enterprise-Ready PKG

Requirement Simple productbuild Enterprise-Ready Package
Payload Delivery Moves .app to /Applications only. Can place payloads anywhere (e.g., /Library/LaunchDaemons).
Script Handling No pre/post-install script support. Executes bash/zsh scripts for configuration or licensing.
TCC/PPPC Permissions User is prompted for permissions on launch. Pre-empted by deploying a Hexnode PPPC profile alongside the PKG.
Gatekeeper Bypass Fails silently if unsigned/untrusted. Signed securely with a Developer ID Installer certificate.

Deploy the Converted PKG using Hexnode UEM

Once your PKG is generated, validated, and signed, it is ready for fleet deployment.

  1. Log in to your Hexnode UEM portal.
  2. Navigate to Apps > Local Apps > +Add Apps > Enterprise Apps and choose platform as macOS.
  3. Upload your generated .pkg file, provide the necessary metadata, and click Add.
  4. Navigate to Policies and click New Policy > Create a fully custom policy (or edit an existing policy).
  5. Go to macOS > App Management > Required Apps and click Configure.
  6. Click + Add > Add App, select your newly uploaded Enterprise PKG, and click Done.
  7. Navigate to the Policy Targets tab, assign the policy to your target Devices, Device Groups, Users, User Groups or Domains/OUs and click Save.

Pre-Deployment Checklist

  • Clean Test Environment: The PKG has been tested on a fresh macOS Virtual Machine (VM) without preexisting app configurations.
  • Architecture Compatibility: The .app bundle is a Universal binary or specifically matches the architecture (Intel vs. Apple Silicon) of the target fleet.
  • Profiles Pre-deployed: Any required Kernel Extension, System Extension, or PPPC configuration profiles have been pushed to the endpoint before the app installation.
  • Signature Validated: The PKG is signed and clears Gatekeeper checks (spctl -a -v --type install YourApp.pkg).

Troubleshoot APP-to-PKG Conversion Issues

Issue Likely Cause Fix
“Cannot write product” error Permission denied at output directory. Change output path to ~/Desktop or run command with sudo.
PKG installs but app is missing Incorrect destination path in command. Ensure the second argument in productbuild is exactly /Applications.
PKG installs but won’t open Architecture mismatch or Quarantine flag active. Verify binary compatibility; remove quarantine flag via xattr -c.
User sees Gatekeeper security warning Unsigned PKG triggering local security blocks. Sign the package using productsign and a valid Developer ID.

Frequently Asked Questions

Can I convert any macOS APP to PKG?

Yes, any .app bundle can be wrapped into a .pkg. However, complex applications that rely on hidden support files, specific user-level licensing, or system daemons will require an advanced packaging tool (like AutoPkg or Packages) rather than a simple wrapper.

Why convert APP to PKG for Hexnode deployment?

Hexnode UEM, like all modern Apple MDM solutions, relies on the native macOS installer binary to deploy enterprise applications silently. This binary exclusively accepts .pkg files.

Is productbuild enough to create an enterprise-ready PKG?

For simple, self-contained applications (like a basic text editor or a standalone utility), productbuild is entirely sufficient. For enterprise software requiring configuration scripts and background services (like VPN clients or security agents), you must use advanced packaging tools.

What install path should I use when converting APP to PKG?

The industry standard and expected destination for all macOS GUI applications is /Applications. Using other directories may cause permissions issues or confuse end-users trying to locate the software.

Deploying and Managing Apps