Download and Install Microsoft Office 365

What the Microsoft 365 Apps deployer does

This Automox Worklet™ deploys the full Microsoft 365 Apps suite to macOS endpoints by pulling the universal installer package directly from Microsoft's content delivery network. The Worklet retrieves the package from the canonical fwlink redirect at go.microsoft.com/fwlink/?linkid=525133, which Microsoft uses to serve the current production build for both Intel and Apple Silicon hardware. No installer files have to live on a file share, and no per-host download cache has to be maintained.

After the download completes, the Worklet hands the package to the native macOS installer binary with -target / so every Microsoft 365 component lands in /Applications. The deployed suite includes Microsoft Word, Excel, PowerPoint, Outlook, OneNote, and OneDrive, along with the AutoUpdate (MAU) helper that keeps each application current after first launch. The temporary pkg in /tmp is removed at the end of the run so the endpoint does not accumulate 8+ GB of installer cache between policy executions.

Detection is rooted in the presence of /Applications/Microsoft Excel.app, which the Worklet treats as a proxy for the full suite. If Excel is missing, the Worklet downloads and installs. If Excel is present, the script logs a skip message and exits, so re-running the policy on an already-provisioned endpoint costs nothing beyond the evaluation pass.

Why deploy Microsoft 365 to Mac endpoints from Automox

The Microsoft 365 Apps installer for macOS is over 8 GB. Handing that download to end users to run themselves stretches first-day onboarding, blocks new hires from joining Teams meetings, and lights up help-desk tickets when the installer fails part-way through. Pushing the deployment from Automox replaces the self-service flow with a silent pkg install that runs under the agent's elevated context, with no Apple ID prompts, no admin password requests, and no manual disk-image mount step. The pkg is signed and notarized by Microsoft, so Gatekeeper accepts it without user interaction.

Targeting this Worklet at your Mac endpoint group makes Microsoft 365 a baseline rather than a per-laptop install task. Paired with a recurring evaluation cadence, the suite reinstalls itself the next time a user drags Word into the Trash, and new hire laptops arrive at first login with Word, Excel, PowerPoint, Outlook, and OneNote already in /Applications. Compliance teams also pick up an audit trail of who received the suite and when, which is harder to reconstruct from a self-service installer link in a wiki page.

How Microsoft 365 deployment works

1. Evaluation phase: The evaluation script returns exit 1 unconditionally, which routes every endpoint to remediation. The detection logic actually runs inside the remediation script, where a single test on /Applications/Microsoft Excel.app decides whether to download. This pattern keeps the Worklet idempotent across recurring policies and lets the same policy reinstall the suite the moment an end user removes an app.

2. Remediation phase: If /Applications/Microsoft Excel.app is absent, the script runs curl -L -o /tmp/Microsoft_Office_Installer.pkg https://go.microsoft.com/fwlink/?linkid=525133 to pull the current universal package, then installer -pkg /tmp/Microsoft_Office_Installer.pkg -target / to lay down every Microsoft 365 component on the boot volume. The pkg is removed with rm -rf once the installer finishes. If Excel is already present, the script logs Microsoft Office 365 is already installed. Skipping installation. and exits cleanly.

Microsoft 365 deployment requirements

• macOS Big Sur (11), Monterey (12), Ventura (13), Sonoma (14), or later running on Intel or Apple Silicon

• At least 10 GB of free space on the boot volume to hold the downloaded pkg and the unpacked applications

• Outbound HTTPS to go.microsoft.com and the officecdn.microsoft.com origins it redirects to

• Automox agent running with its default root context; no additional privilege escalation is required

• An extended policy timeout to accommodate the 8+ GB pkg download on slower links. A 60-minute remediation window is a safe starting point

• A valid Microsoft 365 subscription for each user who will sign in to the suite after install. The pkg itself installs and runs without a license, but activation requires the user's account on first launch

Expected state after Microsoft 365 deployment

After a successful run, /Applications contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Outlook, Microsoft OneNote, and OneDrive, along with the Microsoft AutoUpdate helper at /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app. Each application opens to a sign-in prompt that accepts the user's Microsoft 365 work or school account. The /tmp/Microsoft_Office_Installer.pkg file is removed, so df -h reports the original free space minus the installed application footprint and nothing more.

Validate the deployment with ls /Applications | grep -i microsoft to confirm the application bundles, mdls -name kMDItemVersion /Applications/Microsoft\ Excel.app to read the installed build, and pkgutil --pkgs | grep com.microsoft to list the receipts the installer registered. For audit evidence, capture the Automox activity log entry for the policy run and pair it with the installer log at /var/log/install.log, which records the package identifier and the target volume for every component that was laid down. The next evaluation pass returns exit 1 on schedule and the remediation script logs the skip path, confirming the suite is in place without performing a second download.