Downloads and installs the latest available Microsoft product specified directly on the client. This avoids having to manually download and store an up-to-date installer on a distribution server every month.

Download and Install Microsoft product.zsh

#!/bin/zsh

:<<'ABOUT_THIS_SCRIPT'
-----------------------------------------------------------------------

	Written by:William Smith
	Partner Program Manager
	Jamf
	bill@talkingmoose.net
	https://gist.github.com/b6637160b65b751824943ede022daa17
	
	Originally posted: November 19, 2017
	Updated: February 13, 2023
	Updated: March 8, 2024
	Updated: April 22, 2024
	Updated: June 5, 2024
	    Included Team ID check
	Updated: March 30, 2026
		Included Microsoft 365 Copilot universal

	Purpose: Downloads and installs the latest available Microsoft
	product specified directly on the client. This avoids having to
	manually download and store an up-to-date installer on a
	distribution server every month.
	
	Instructions: Update the linkID value to one of the corresponding
	Microsoft products in the list and optionally update the sha256Checksum
	value with a known SHA 256 string. Run the script with elevated
	privileges. If using Jamf Pro, consider replacing the linkID,
	sha256Checksum, and teamID values with "$4", "$5" and "$6", entering the ID
	as script parameters in a policy.

	Except where otherwise noted, this work is licensed under
	http://creativecommons.org/licenses/by/4.0/

	"You say goodbye and I say exit 0."
	
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT

# enter the Microsoft fwlink (permalink) product ID
# or leave blank if using a $4 script parameter with Jamf Pro

linkID="" # e.g. "525133" for Office 2019
teamID="" # usually "UBF8T346G9" but may differ between products

# 525133 - Office 2019 and later for Mac SKUless download (aka Office 365)
# 2009112 - Office 2019 and later for Mac BusinessPro SKUless download (aka Office 365 with Teams)
# 871743 - Office 2016 for Mac SKUless download
# 830196 - AutoUpdate download
# 2069439 - Edge (Intel Consumer Beta)
# 2069340 - Edge (Intel Consumer Dev)
# 2069147 - Edge (Intel Consumer Canary)

# These no longer work; unable to determine link IDs
# XXXXXXX - Edge (Enterprise Stable)
# XXXXXXX - Edge (Enterprise Beta)
# XXXXXXX - Edge (Enterprise Dev)

# Releases sourced from https://www.microsoft.com/en-us/edge/download?form=MA13FJ
# 2069148 - Edge (Intel Consumer Stable)
# 2093504 - Edge (Apple Silicon Stable)
# 2069340 - Edge (Intel Dev)
# 2099619 - Edge (Apple Silicon Dev)

# 2325438 - Microsoft 365 Copilot universal
# 525135 - Excel 2019 SKUless download
# 871750 - Excel 2016 SKUless download
# 869655 - InTune Company Portal download (Intel only from October 2023)
# 853070 - InTune Company Portal download (Universal)
# 823060 - OneDrive download
# 820886 - OneNote download
# 525137 - Outlook 2019 SKUless download
# 871753 - Outlook 2016 SKUless download
# 525136 - PowerPoint 2019 SKUless download
# 871751 - PowerPoint 2016 SKUless download
# 868963 - Remote Desktop
# 800050 - SharePoint Plugin download
# 832978 - Skype for Business download
# 869428 - Teams Classic
# 2249065 - New Teams
# 525134 - Word 2019 SKUless download
# 871748 - Word 2016 SKUless download

# enter the SHA 256 checksum for the download file
# download the package and run '/usr/bin/shasum -a 256 /path/to/file.pkg'
# this will change with each version
# leave blank to to skip the checksum verification (less secure) or if using a $5 script parameter with Jamf Pro

sha256Checksum="" # e.g. "67b1e8e036c575782b1c9188dd48fa94d9eabcb81947c8632fd4acac7b01644b"

if [ "$4" != "" ] && [ "$linkID" = "" ]
then
    linkID=$4
fi

if [ "$5" != "" ] && [ "$sha256Checksum" = "" ]
then
    sha256Checksum=$5
fi

if [ "$6" != "" ] && [ "$teamID" = "" ]
then
    teamID=$6
fi

# this is the full fwlink URL
url="https://go.microsoft.com/fwlink/?linkid=$linkID"

# create temporary working directory
echo "Creating working directory '$tempDirectory'"
workDirectory=$( /usr/bin/basename $0 )
tempDirectory=$( /usr/bin/mktemp -d "/private/tmp/$workDirectory.XXXXXX" )

# change directory to temporary working directory
echo "Changing directory to working directory '$tempDirectory'"
cd "$tempDirectory"

# download the installer package and name it for the linkID
echo "Downloading package $linkID.pkg"
/usr/bin/curl --location --silent "$url" -o "$linkID.pkg"

# checksum the download
downloadChecksum=$( /usr/bin/shasum -a 256 "$tempDirectory/$linkID.pkg" | /usr/bin/awk '{ print $1 }' )
echo "Checksum for downloaded package: $downloadChecksum"

# extract Team ID from the download
downloadTeamID=$( /usr/sbin/pkgutil --check-signature "$tempDirectory/$linkID.pkg" | /usr/bin/awk -F '[()]' '/Developer ID Installer/{ print $2 }' )
echo "Team ID for downloaded package: $downloadTeamID"

# install the package if checksum validates
if ([ "$sha256Checksum" = "$downloadChecksum" ] || [ "$sha256Checksum" = "" ]) && ([ "$teamID" = "$downloadTeamID" ] || [ "$teamID" = "" ]); then
	echo "Checksum and Team ID verified. Installing package $linkID.pkg"
	/usr/sbin/installer -pkg "$linkID.pkg" -target /
	exitCode=0
else
	echo "Checksum failed. Recalculate the SHA 256 checksum and try again. Or download may not be valid."
	exitCode=1
fi

# remove the temporary working directory when done
/bin/rm -Rf "$tempDirectory"
echo "Deleting working directory '$tempDirectory' and its contents"

exit $exitCode

Is there a new product id for Teams? 869428 only pulls Teams Classic now. Thanks @talkingmoose!

I've found the ID for New Teams and updated the script to include it.

Hey @talkingmoose

maybe you can add a teamid check to be on the safe side? As far as i know the Microsoft Team ID is always UBF8T346G9.

if [ "$6" != "" ] && [ "$Teamid" = "" ]
then
    Teamid=$6
fi

...............

# Get package TeamID
packageTeamid=$(spctl -a -vv -t install "$tempDirectory/$linkID.pkg" 2>&1 | awk -F '[()]' '/origin=/ {print $2}')

#Check if the package TeamID is the Microsoft TeamID.
if [[ " $Teamid " == " $packageTeamid " ]]; then
    echo "Package TeamID $packageTeamid is valid"
else
    echo "Package TeamID $packageTeamid is unvalid"
    exit 1
fi

@colorenz, thanks for the suggestion. I've updated it and briefly tested it. Take it for a spin and let me know your results.

Hi @talkingmoose,
Could you please updated the script with product ID:2325438
*Microsoft 365 Copilot app

Hello @talkingmoose,

We use this script to install Word/Excel/Powerpoint during an MacOs installation it worked fine until Microsoft discontinue the 2021 Microsoft_Office_LTSC_2021_VL_Serializer we switched to 2024 and it works fine IF we install the following versions.

Microsoft_Word_16.105.26020123_Updater.pkg
Microsoft_PowerPoint_16.105.26020123_Updater.pkg
Microsoft_Excel_16.105.26020123_Updater.pkg

We can then update to the latest version if i use the script it i will receive a white login screen (office not activated).

Any idea's on how to solve this issue ?

We would use the following versions inside the script

525134 - Word 2019 SKUless download
525135 - Excel 2019 SKUless download
525136 - PowerPoint 2019 SKUless download

@r2range I’m unaware of the latest Serializer version today. Is it for 2024 and later or has it possibly been updated?

Behavior may have changed, but an older serializer version installed with an up-to-date Office version should allow the up-to-date Office version to work but without newer features that were released with the latest serializer version.

Unfortunately, all this script can do is install the latest version of any product. It can’t account for idiosyncrasies with the serializer. You may want to test your order of installation whether installing new or upgrading:

1. Serializer
2. Office product

Hello @talkingmoose
We have seen a number of false positives in Jamf because the checksum works fine, but the app doesn't get installed because installer doesn't recognize it as valid. We have retries set for these policies, but because script exits with 0, instead of 1, it is recorded as completed, instead of failed. Would it be possible to add logic to check for installer recognizing a package as Microsoft * or Intune * (for Company Portal), if not exit as 1? Would team ID help with this? Please see example of actual completed install vs false positive below. Thanks in advance.

Script exit code: 0

Script result: Creating working directory "
Changing directory to working directory /private/tmp/InstallLatestMSProduct.sh.WdfxH8'
Downloading package 823060.pkg
Checksum for downloaded package:
2a832e34c4603b7de122d3a7bc7652f1b254dc8af0045f0ec6e4730427f68623
Checksum verified. Installing package 823060.pkg installer: Package name is Microsoft OneDrive installer: Installing at base path / installer: The install was successful.
Deleting working directory /private/tmp/InstallLatestMSProduct.sh.WdfxH8' and its contents

Script exit code: 0

Script result: Creating working directory "
Changing directory to working directory /private/tmp/InstallLatestMSProduct.sh.uzX6Nf"
Downloading package 823060.pkg
shasum: /private/tmp/InstallLatestMSProduct.sh.uzX6Nf/823060.pkg: No such file or directory
Checksum for downloaded package:
Checksum verified. Installing package 823060.pkg
installer: Error - the package path specified was invalid: '823060.pkg'.
Deleting working directory /private/tmp/InstallLatestMSProduct.sh.uzX6Nf' and its contents