Deploying shft with Microsoft Intune
This guide covers deploying the shft app and configuration profile through Microsoft Intune for macOS devices.
Prerequisites
- Microsoft Intune with macOS management configured
- macOS devices enrolled in Intune (via Apple Business Manager / automated device enrolment or user enrolment)
- The shft
.pkginstaller - The shft configuration profile (see Configuration profile reference)
Step 1: Upload the shft package
- In the Microsoft Intune admin center, navigate to Apps → macOS
- Click Add
- Select App type: macOS app (PKG)
- Click Select
App information
| Field | Value |
|---|---|
| Name | shft |
| Description | Mac-to-Mac migration tool for enterprise device refresh |
| Publisher | Machinery Software |
| Minimum operating system | macOS 14.0 |
| Category | Utilities |
- Upload the
shft-<version>.pkgfile
Detection rules
Intune uses detection rules to determine if the app is already installed:
| Field | Value |
|---|---|
| Rule type | File exists |
| Path | /Applications/shft.app |
Alternatively, use a custom script:
#!/bin/bash
if [ -d "/Applications/shft.app" ]; then
echo "shft is installed"
exit 0
else
exit 1
fiAssignments
Assign the app to the appropriate groups:
- Required — installs automatically on target devices
- Available for enrolled devices — appears in Company Portal for user-initiated install
| Approach | Assignment type |
|---|---|
| All Macs | Assign as Required to All Devices (macOS) |
| Targeted | Assign as Required to a device group (e.g., "Device Refresh Macs") |
| Self-service | Assign as Available to All Users |
- Click Create
Step 2: Create the configuration profile
Intune deploys macOS configuration profiles through the Settings Catalog or a Custom profile with a .mobileconfig file. For shft, use the custom profile approach.
- Navigate to Devices → Configuration profiles
- Click Create profile
- Select:
| Field | Value |
|---|---|
| Platform | macOS |
| Profile type | Templates → Custom |
- Set the profile basics:
| Field | Value |
|---|---|
| Name | shft Configuration |
| Description | Admin policy for shft migration tool |
- Under Configuration settings, click Add a row for the custom configuration profile:
| Field | Value |
|---|---|
| Custom configuration profile name | shft Configuration |
| Deployment channel | User channel |
- Upload the
.mobileconfigfile
Build the profile using the example in Configuration profile reference. Ensure PayloadScope is set to User.
-
Under Assignments, assign to the same groups as the app deployment
-
Click Create
Step 3: Verify deployment
- On a target Mac, open Company Portal and check that shft appears
- If assigned as Required, wait for the next Intune sync (or trigger a sync from Company Portal → Settings)
- Verify shft is installed:
ls /Applications/shft.app - Verify the profile is applied:
defaults read com.shft.config - Open shft and confirm your organisation branding appears
Intune-specific notes
Deployment channel: User vs Device
The shft configuration profile must use the User channel deployment. This is because shft reads preferences from UserDefaults(suiteName: "com.shft.config"), which reads from the user-level managed preferences namespace.
If you deploy the profile through the Device channel, the preferences will be written to the system level and shft will not see them. Always use User channel.
PKG requirements for Intune
Intune requires PKG files to meet certain criteria:
- The PKG must be a flat package (not a bundle-style package)
- The PKG must be signed
- Maximum file size: 8 GB
The shft PKG meets all these requirements.
Sync timing
Intune syncs with macOS devices approximately every 8 hours by default. To ensure the profile and app are deployed before a migration:
- Deploy the profile and app at least 24 hours before the scheduled migration
- Or ask the user to open Company Portal and tap Check Status to trigger an immediate sync
Conditional access
If your Intune environment uses Conditional Access policies, ensure that the Macs involved in migration can reach each other on the local network. Conditional Access does not affect shft's local network operations, but network-level policies (e.g., NAC) might.
Compliance policies
Create a compliance policy to verify migration readiness:
- Navigate to Devices → Compliance policies
- Create a policy for macOS
- Add a custom compliance script that checks for shft installation and profile presence
#!/bin/bash
shft_installed=false
profile_applied=false
if [ -d "/Applications/shft.app" ]; then
shft_installed=true
fi
if defaults read com.shft.config shft.brandingName &>/dev/null; then
profile_applied=true
fi
cat <<EOF
{"shft_installed": $shft_installed, "profile_applied": $profile_applied}
EOFTroubleshooting profile delivery
If the configuration profile is not being applied:
- Check the deployment channel — it must be
User channel, notDevice channel - Verify the
.mobileconfigis valid:plutil -lint your-profile.mobileconfig - Check the Intune Management Extension logs on the Mac:
/Library/Logs/Microsoft/Intune/ - Verify the PayloadType matches the preference domain:
com.shft.config - Ensure the PayloadScope in the
.mobileconfigis set toUser