Do I need an Apple Developer license to sign and distribute a custom nix-darwin package to managed ABM/ABE devices?
Do I need an Apple Developer license to sign and distribute a custom nix-darwin package to managed ABM/ABE devices?
I created a flake that sets up our developer machines: adjusts user settings, installs Homebrew packages, streamlines the Dock with the apps developers actually use, installs IDEs and extensions, configures env-file handling using JIT/Service Worker accounts so secrets never touch disk, and handles a bunch of other developer-experience setup.
The idea is to deploy a custom package through our managed Apple Business Manager / Apple Business Essentials devices that installs nix-darwin, builds the flake silently, and then declaratively applies the system/user configuration.
What I’m trying to understand is the best-practice path for packaging and distributing this internally.
Do I need an Apple Developer Program license to properly sign/notarize the installer package, or is that only required if distributing outside of our managed fleet? Can this be handled entirely through MDM/ABM/ABE with an unsigned or locally signed package, or will Gatekeeper / macOS security policies still require a Developer ID-signed package?
I’m especially interested in how other Mac admins are handling:
- Internal-only package signing
- Deploying nix-darwin or Nix-based developer environments
- Silent installs through MDM
- Gatekeeper/notarization requirements for managed Macs
- Whether Developer ID signing is worth doing even if it is not strictly required
Any guidance or examples from people doing something similar would be appreciated.
