Mac Software Management (WIP)

Munki

Overview

Munki is a software deployment system for macOS that uses what could be termed a "thin server" approach. There is no Munki server application, just a repository of files stored on an ordinary webserver (in this case hilbert.math.ucsb.edu.) A client application called Managed Software Center reads this repository and adds, removes, or upgrades client-side applications. The repository can be administered from any macOS workstation that has the Munki administration tools installed -- the most commonly used of these are munkiimport, manifestutil, and makecatalogs.

munkiimport is used to add a new application to the repository. It analyzes the DMG or PKG file, generates a Munki pkginfo file for it, and copies both to the repository. It optionally allows editing the pkginfo file first, and afterwards optionally runs makecatalogs.
manifestutil edits the manifest files used to determine which clients get which applications. We currently have the following manifests:
- all_workstations -- included in all other manifests. Contains common packages such as web browsers and printer drivers that all clients receive, as well as infrastructure packages like munkireport.
- faculty_workstation -- template for a typical faculty workstation. Includes editors, Mathematica, LibreOffice, Macaulay2, MacTex, R, Xcode, and MacPorts. Some of these are optional.
- lab_workstation -- Very similar to faculty_workstation, but with less customization. Also adds some desktop theming.
- site_default -- Not used.
- staff_workstation -- template for a typical staff workstation. Includes 4D. Many of the packages from the faculty_workstation manifest are available, but optional.
- student_workstation -- template for student office worker workstations. Something of a hybrid between staff and faculty, in terms of package loadout.
- test_workstation -- Used for testing. Normally no workstations are assigned this manifest.
makecatalogs reads the pkginfo files and compiles catalogs that can be included in manifests. Adding a package to a manifest doesn't do anything unless that manifest also includes the package's catalog.

Before running these for the first time, "munkiimport --config" should be run to configure the repository location. The correct one is currently "smb://hilbert.math.ucsb.edu/munkirepo".

Which manifest a given client uses is controlled by profile settings deployed by the Profile Manager MDM. The preference domain is "ManagedInstalls" and the following keys are used in our install:

Key	Type	Description
ClientIdentifier	String	The name of the manifest to use, e.g. "lab_workstation"
SoftwareRepoURL	String	Location of the Munki repo, e.g. "https://hilbert.math.ucsb.edu/repo/"
InstallAppleSoftwareUpdates	Boolean	Whether the Munki client should install Apple software updates (Does not work on macOS 11 and later.)
UnattendedAppleUpdates	Boolean	Whether to install Apple updates without user confirmation, when the client is idle. (Does not work on macOS 11 and later.)

The full set of keys is documented in the Munki Wiki.

Multi-architecture support

PackagesByCPUArch - Pushing separate packages for Intel and Apple Silicon Macs
RosettaInstallation

External documentation

Munki Wiki

Edit • Attach • Print version • History: r3 < r2 < r1 • Backlinks • View wiki text • Edit wiki text • More topic actions