macOS - Software - Install Microsoft Edge

What the Microsoft Edge macOS deployer does

This Automox Worklet™ deploys Microsoft Edge to macOS endpoints by downloading the signed Microsoft Edge installer through the Automox ottopm package manager and running it with the native macOS installer utility. The Worklet first checks /Applications/Microsoft Edge.app on the endpoint, treats the host as compliant when the bundle is already present, and triggers remediation only when Edge is missing.

The remediation script calls /usr/local/bin/wdk ottopm download Microsoft_Edge to fetch the PKG into the agent cache, parses the downloaded_file_path returned by ottoq, runs sudo installer -pkg <path> -target / against the root volume, and re-checks the application bundle before exiting. The installer payload places Microsoft Edge.app under /Applications and registers the EdgeUpdater agent so the browser stays current between Automox policy runs without a user prompt.

Why deploy Microsoft Edge across your Mac fleet

Microsoft Edge is the working browser for Mac users in Microsoft 365 shops because it carries Entra ID single sign-on, Defender SmartScreen, and Intune-delivered browser policies natively, without the extension stack required to wire Chrome or Safari into the same controls. Edge for macOS also installs the EdgeUpdater LaunchDaemon at /Library/Application Support/Microsoft/EdgeUpdater, which keeps the Chromium engine patched between Automox policy runs.

Apply this Worklet to your macOS group on the same cadence as the rest of your software-baseline policies. Edge lands on every Mac that comes online without an ad-hoc Jamf push or a help-desk ticket per user, and newly imaged or newly enrolled endpoints align with the same Edge build on their first agent sync.

How the Edge PKG install works

1. Evaluation phase: The evaluation script tests for the /Applications/Microsoft Edge.app directory on the endpoint. If the bundle exists, the script exits 0 and the endpoint is reported compliant. If the bundle is absent, the script exits 1 so the Automox policy schedules the remediation run.

2. Remediation phase: The remediation script calls /usr/local/bin/wdk ottopm download Microsoft_Edge to pull the signed PKG into the agent cache, reads the downloaded_file_path from the ottoq JSON output, runs sudo installer -pkg <path> -target / to install onto the root volume, and re-tests for /Applications/Microsoft Edge.app. A missing bundle after install returns a non-zero exit code so the failure surfaces in the Automox activity log.

Microsoft Edge deployment requirements

• macOS 11 Big Sur or later on Intel or Apple Silicon (the universal PKG covers both architectures)

• Automox agent installed and running with its default root context so installer -pkg can write to / and /Applications

• /usr/local/bin/wdk present on the endpoint (shipped with the Automox macOS agent) for the ottopm download step

• Outbound HTTPS reachability from the endpoint to the Automox content endpoints on port 443 for the PKG download

• Roughly 400 MB of free space on the system volume for the installer payload, plus headroom for EdgeUpdater

• No MDM payload that blocks third-party app installs to /Applications; remove any conflicting Jamf or Intune restriction before scheduling the Worklet

Expected state after Edge is deployed

After remediation, /Applications/Microsoft Edge.app is present on the endpoint and reports a valid version when queried with mdls -name kMDItemVersion '/Applications/Microsoft Edge.app'. The EdgeUpdater LaunchDaemon and LaunchAgent register under /Library/LaunchDaemons/com.microsoft.EdgeUpdater.update.plist and /Library/LaunchAgents/com.microsoft.EdgeUpdater.update.plist, which is how Edge stays patched between policy runs. Spotlight returns the Microsoft Edge bundle, and users can launch the browser and sign in with their Microsoft work account to pick up Entra ID single sign-on and Conditional Access policy.

Validate the deployment from a terminal with ls -ld '/Applications/Microsoft Edge.app' and pkgutil --pkg-info com.microsoft.edgemac, both of which return zero on a successful install. The Automox activity log records the exit code and a final compliance state per endpoint, so a single CSV export from the console is enough audit evidence that every macOS host in the policy now runs the supported Edge channel.