Skip to content

Add LOB (Managed PKG) app deployment visibility via native MDM channel#35

Open
houstontxguy wants to merge 1 commit intogilburns:mainfrom
houstontxguy:feature/lob-app-visibility
Open

Add LOB (Managed PKG) app deployment visibility via native MDM channel#35
houstontxguy wants to merge 1 commit intogilburns:mainfrom
houstontxguy:feature/lob-app-visibility

Conversation

@houstontxguy
Copy link
Copy Markdown

@houstontxguy houstontxguy commented Mar 18, 2026
edited
Loading

Summary

  • Adds visibility into Intune LOB apps (managed PKGs) deployed via Apple's native MDM InstallApplication command, which are currently invisible in IntuneLogWatch
  • Reads from macOS unified log (com.apple.ManagedClient / InstallApplication category), /var/log/install.log, and /Library/Receipts/InstallHistory.plist
  • Correlates all three sources into unified LOB deployment events grouped by MDM command UUID
  • Adds "LOB Installs" as a 4th filter button (⌘4) in the existing sidebar — no tab switching required
  • LOB stats appear in the Analysis Summary header at a glance
  • All existing functionality is preserved — changes are purely additive

Context

Resolves #34. Full details in that issue.

Intune uses two separate channels for macOS app deployment. The sidecar agent channel (IntuneMDMDaemon) is already covered. The native MDM channel (mdmclientInstallApplication) is not — those apps never appear in IntuneMDMDaemon logs.

New files (8)

File Purpose
LOBModels.swift Data models: SidebarEvent wrapper enum, LOBAppEvent, UnifiedLogEntry, InstallLogEntry, LOBPackageReceipt, ChannelBadge, lifecycle stages
UnifiedLogReader.swift Queries unified log via log show --style json with InstallApplication predicate
InstallLogParser.swift Parses /var/log/install.log
InstallHistoryParser.swift Parses InstallHistory.plist — detects MDM installs via appstored, mdmclient, GUID display names
LOBCorrelationEngine.swift Merges three sources, groups by MDM command UUID
LOBSidebarView.swift LOBEventRow component for LOB events in the unified sidebar list
LOBDetailView.swift Detail view with lifecycle timeline, receipt info, log entries
DeploymentLifecycleView.swift Visual pipeline: MDM Command → Download → Install → Verify

Modified files (7)

File Changes
Models.swift Added DeploymentChannel enum, deploymentChannel property on PolicyExecution
LogParser.swift Removed AppPolicyResultsReporter filter, added deploymentChannel: .agent
ViewController.swift Added SidebarEvent-based unified selection, EventFilter.lobOnly (⌘4), LOB stats in analysis header, LOB event list
ClipLibrary.swift Added deploymentChannel to clip snapshot persistence
SyncEventDetailView.swift Added channel badge to policy rows
PolicyDetailView.swift Added channel badge to policy header
project.pbxproj Added new files to QuickLook target membership

Test plan

  • Verify existing Agent Apps view works identically (no regressions)
  • Keyboard shortcuts ⌘1/2/3 switch Sync/Recurring/Health filters as before
  • ⌘4 switches to LOB Installs filter, showing LOB events in sidebar
  • On an Intune-managed Mac with LOB apps: LOB filter shows InstallApplication events
  • VPP/App Store apps pushed via MDM appear (processName=appstored)
  • Non-MDM installs (manual, software update) do NOT appear in LOB list
  • Selecting a LOB event shows LOBDetailView in content pane
  • LOB stats visible in Analysis Summary header regardless of active filter
  • Reload (⌘R) reloads both agent and LOB data
  • Clip library, export, and other keyboard shortcuts still function

Tested on an Intune-managed Mac with LOB apps pushed from the Intune portal.

@houstontxguy
Add LOB (Managed PKG) app deployment visibility via native MDM channel
d4a4cb0 
Adds visibility into Intune LOB apps (managed PKGs) deployed via
Apple's native MDM InstallApplication command, which are invisible
in the existing IntuneMDMDaemon log parsing.

Data sources:
- macOS unified log (com.apple.ManagedClient / InstallApplication)
- /var/log/install.log
- /Library/Receipts/InstallHistory.plist

UI: LOB Installs is a 4th filter button (Cmd+4) in the existing
sidebar alongside Sync, Recurring, and Health events. Selecting a
LOB event shows a detail view with deployment lifecycle timeline,
receipt info, and correlated log entries. LOB stats appear in the
Analysis Summary header at a glance.

Detection filters:
- Unified log predicate targets only InstallApplication category
  events and storedownloadd
- Correlation engine skips entries without command UUID
- InstallHistory parser accepts only appstored, mdmclient, and
  GUID-named installer entries

New files: LOBModels, UnifiedLogReader, InstallLogParser,
InstallHistoryParser, LOBCorrelationEngine, LOBSidebarView,
LOBDetailView, DeploymentLifecycleView

Modified: Models (DeploymentChannel enum), LogParser (channel tag),
ViewController (unified sidebar, LOB filter), ClipLibrary,
PolicyDetailView, SyncEventDetailView (channel badges)
@houstontxguy houstontxguy force-pushed the feature/lob-app-visibility branch from 41bf63f to d4a4cb0 Compare March 20, 2026 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature: Add visibility into LOB (Managed PKG) app deployments via native MDM channel

1 participant

@houstontxguy