Download and Install Microsoft Remote Desktop

What the Microsoft Remote Desktop deployment Worklet does

This Automox Worklet™ deploys the Microsoft Remote Desktop client to macOS endpoints so Mac users can open RDP sessions to Windows Server, Azure Virtual Desktop (AVD), Windows 365 Cloud PC, and individual Windows workstations. The Worklet pulls the current signed PKG installer directly from Microsoft's distribution endpoint (go.microsoft.com/fwlink/?linkid=868963), runs the macOS installer command against the root volume, and removes the temporary PKG when the install completes.

The remediation script is guarded by a check for /Applications/Microsoft Remote Desktop.app. If the bundle already exists, the script logs that the client is present and exits without downloading the installer again. The first run installs the client on every endpoint missing it, and every subsequent run is a no-op on endpoints that already have it.

Because the evaluation script exits 1 by default, the policy always proceeds to remediation. The reinstall-on-removal behavior is intentional: if a user drags Microsoft Remote Desktop.app to the Trash, the next Worklet evaluation flags the endpoint and the remediation step puts the client back. You get the package back without a help desk ticket or a manual reinstall on the endpoint.

Why standardize Microsoft Remote Desktop across managed Macs

Microsoft Remote Desktop is the supported macOS client for RDP into Windows Server Remote Desktop Services, Azure Virtual Desktop session hosts, Windows 365 Cloud PCs, and any Windows 10 or Windows 11 workstation with Remote Desktop enabled. When the client is missing or out of date, Mac users either cannot reach a session host at all or end up running an unsigned RDP client downloaded from a search result. Both outcomes create support tickets, and the second one creates an audit problem. Standardizing on the signed PKG that Microsoft publishes through go.microsoft.com/fwlink/?linkid=868963, installed through the standard macOS installer pipeline, removes that variability across the fleet.

A single Automox policy applied to your macOS group standardizes the RDP client across managed endpoints. Already-installed copies of Microsoft Remote Desktop.app are detected and skipped, missing copies receive the same signed PKG, and the next evaluation reinstalls the app if a user moves it to the Trash. The result is a consistent, audit-friendly RDP client on every Mac under Automox management, including remote and contractor endpoints that never appear on the corporate network.

How Microsoft Remote Desktop deployment works

1. Evaluation phase: evaluation.sh exits 1 unconditionally, which sends every endpoint into remediation. This design lets the same Worklet handle initial deployment and self-healing after an end user uninstalls the client. The actual installed-or-not check lives in remediation.sh so the Worklet stays idempotent under recurring policies.

2. Remediation phase: remediation.sh tests for /Applications/Microsoft Remote Desktop.app. If the bundle is missing, the script runs curl -L -o /tmp/Microsoft_Remote_Desktop_Installer.pkg https://go.microsoft.com/fwlink/?linkid=868963, then installer -pkg /tmp/Microsoft_Remote_Desktop_Installer.pkg -target /, and finally rm -rf /tmp/Microsoft_Remote_Desktop_Installer.pkg. If the bundle is already present, the script echoes a skip message and exits 0 without touching the endpoint.

Microsoft Remote Desktop deployment requirements

• macOS Big Sur (11) or later on Intel or Apple Silicon. The current Microsoft Remote Desktop universal binary targets macOS 11 and above; older builds for macOS 10.14 and 10.15 are no longer published through this fwlink.

• Outbound HTTPS reachability from the endpoint to go.microsoft.com and Microsoft's CDN. Proxy environments must allow the redirect chain from fwlink/?linkid=868963 to the signed PKG download host.

• Root context for the Automox agent on macOS, which is the default. The installer command writes to /Applications and registers the bundle with Launch Services, both of which require elevated privileges.

• Approximately 500 MB of free space on the system volume. The PKG download is staged under /tmp and removed after install completes, so the long-term footprint is the application bundle in /Applications.

• RDP reachability to the target session host. Microsoft Remote Desktop uses TCP/UDP 3389 for direct RDP, or HTTPS 443 via Azure Virtual Desktop and Windows 365 Cloud PC gateways. This Worklet installs the client only; firewall and gateway configuration belong to the network policy.

Expected state after Microsoft Remote Desktop deployment

After remediation succeeds, /Applications/Microsoft Remote Desktop.app exists on the endpoint and the bundle is registered with macOS Launch Services. End users can open the app from Spotlight or Launchpad, add a PC by hostname or IP, add a Workspace URL for Azure Virtual Desktop or Windows 365, and store credentials in the macOS Keychain. The activity log for the policy run records the curl download, the installer output (which includes the PKG identifier com.microsoft.rdc.macos), and the rm cleanup of the staged PKG.

Validate on a pilot endpoint with two commands. Run pkgutil --pkgs | grep -i com.microsoft.rdc.macos to confirm the receipt is registered, and run mdls -name kMDItemVersion '/Applications/Microsoft Remote Desktop.app' to read the installed CFBundleShortVersionString. For an end-to-end test, open the app and connect to a known Windows host on port 3389 or to an Azure Virtual Desktop feed URL. If a future evaluation flags the endpoint again, the most likely cause is a user removal of the app bundle; the next remediation run will reinstall it from the same fwlink and restore the steady state.