Problem
IntuneLogWatch currently monitors the Intune sidecar agent logs (IntuneMDMDaemon) which covers DMG and unmanaged PKG deployments. However, Intune LOB apps (managed PKGs) deployed via Apple's native MDM channel are completely invisible — they never appear in IntuneMDMDaemon logs because they go through mdmclient, logging to the macOS unified logging system instead.
This is a significant blind spot for IT admins managing both deployment channels.
The two macOS Intune app channels
|
LOB (Managed PKG) |
Agent-Deployed (DMG/Unmanaged PKG) |
| Mechanism |
Apple native MDM InstallApplication command |
Intune sidecar agent |
| Process |
mdmclient |
IntuneMDMDaemon |
| Log location |
macOS unified log (com.apple.ManagedClient) |
/Library/Logs/Microsoft/Intune/IntuneMDMDaemon*.log |
| Visible in IntuneLogWatch? |
No |
Yes |
Solution
I've built a working implementation in a fork that adds LOB app visibility by reading from three sources:
- macOS unified log —
log show --style json with InstallApplication category predicate captures MDM commands with UUIDs
/Library/Receipts/InstallHistory.plist — Identifies completed MDM installs via appstored (VPP apps), mdmclient, and GUID-named installer entries/var/log/install.log — Supplementary install execution details
These are correlated into unified LOB deployment events and displayed in a new tab alongside the existing Agent Apps view.
UI Changes
- Three-tab selector in the sidebar: Agent Apps (existing) | LOB Apps (new) | All Apps (combined)
- Deployment lifecycle view showing MDM Command → Download → Installation → Verification stages
- Channel badges on all policy rows distinguishing "Agent" vs "Managed LOB"
- Existing Agent Apps view works identically — all changes are additive
Data layer (new files)
UnifiedLogReader.swift — Queries unified log via /usr/bin/log show --style jsonInstallLogParser.swift — Parses /var/log/install.logInstallHistoryParser.swift — Parses InstallHistory.plist with MDM-specific heuristicsLOBCorrelationEngine.swift — Merges all three sources into LOBAppEvent objectsLOBModels.swift — Data models for the LOB pipeline
Existing file changes
Models.swift — Added DeploymentChannel enum, deploymentChannel property on PolicyExecutionLogParser.swift — Removed AppPolicyResultsReporter filter, added deploymentChannel: .agentViewController.swift — Added source selector and conditional renderingSyncEventDetailView.swift / PolicyDetailView.swift — Added channel badges
Working fork
https://github.com/houstontxguy/IntuneLogWatchLOB
Tested on an Intune-managed Mac with LOB apps pushed from the Intune portal. The app correctly identifies InstallApplication MDM commands, VPP app pushes (appstored), and managed PKG installs while filtering out mdmclient housekeeping noise.
Happy to submit a PR if you're interested in integrating this. Would also be glad to adjust the approach based on your feedback.
Problem
IntuneLogWatch currently monitors the Intune sidecar agent logs (
IntuneMDMDaemon) which covers DMG and unmanaged PKG deployments. However, Intune LOB apps (managed PKGs) deployed via Apple's native MDM channel are completely invisible — they never appear in IntuneMDMDaemon logs because they go throughmdmclient, logging to the macOS unified logging system instead.This is a significant blind spot for IT admins managing both deployment channels.
The two macOS Intune app channels
InstallApplicationcommandmdmclientIntuneMDMDaemoncom.apple.ManagedClient)/Library/Logs/Microsoft/Intune/IntuneMDMDaemon*.logSolution
I've built a working implementation in a fork that adds LOB app visibility by reading from three sources:
log show --style jsonwithInstallApplicationcategory predicate captures MDM commands with UUIDs/Library/Receipts/InstallHistory.plist— Identifies completed MDM installs viaappstored(VPP apps),mdmclient, and GUID-named installer entries/var/log/install.log— Supplementary install execution detailsThese are correlated into unified LOB deployment events and displayed in a new tab alongside the existing Agent Apps view.
UI Changes
Data layer (new files)
UnifiedLogReader.swift— Queries unified log via/usr/bin/log show --style jsonInstallLogParser.swift— Parses/var/log/install.logInstallHistoryParser.swift— ParsesInstallHistory.plistwith MDM-specific heuristicsLOBCorrelationEngine.swift— Merges all three sources intoLOBAppEventobjectsLOBModels.swift— Data models for the LOB pipelineExisting file changes
Models.swift— AddedDeploymentChannelenum,deploymentChannelproperty onPolicyExecutionLogParser.swift— RemovedAppPolicyResultsReporterfilter, addeddeploymentChannel: .agentViewController.swift— Added source selector and conditional renderingSyncEventDetailView.swift/PolicyDetailView.swift— Added channel badgesWorking fork
https://github.com/houstontxguy/IntuneLogWatchLOB
Tested on an Intune-managed Mac with LOB apps pushed from the Intune portal. The app correctly identifies
InstallApplicationMDM commands, VPP app pushes (appstored), and managed PKG installs while filtering out mdmclient housekeeping noise.Happy to submit a PR if you're interested in integrating this. Would also be glad to adjust the approach based on your feedback.