Using Munki to Manage Apple Software Updates
This post is all about leveraging Munki to provide managed Apple software updates to client computers, without the need for administrator credentials at the client side.
For anyone that has not seen or used the managed software installation product “Munki”, it is a set of command-line tools that can host and distribute a web-server based repository of package installation files. It has become a subset of the larger Google project, Simian which allows for software distribution and management at an enterprise level.
Munki can allow an administrator to install or uninstall software packages. It can also offer optional installer packages to specified computers (much like Casper’s self-service app).
A brief introduction to Munki
Munki is a server/client set of tools that can manage software distribution to Mac OS X client computers. It is made up of the following components:
Web server - To host the munki repository
Munki tools - Stored on the server in /usr/local/munki to provide the ability to capture packages and add them to catalogs and manifests
Installer packages - The actual packages you want to deploy (can be drag and drop apps, apple installers or packages created from third party tools such as Iceberg or Composer from JAMF software) – Yes I have intentionally excluded PackageMaker from the party
Catalogs - XML plist files with lists of available software packages
Manifests - List of software to be installed or removed from a given computer or group of computers
If you have not tried it yet, you should check out the google project home at code.google.com/p/munki/
Apple software update recap…
As many of you will be aware, Apple software update is built into the Mac OS and can be user initiated or on a scheduled basis. The initial weaknesses are the requirement for the user to input administrator credentials to install some of the updates and the lack of control the IT administrator has over the updates offered by the Apple software update servers.
The first issue can be solved by using Munki, which we will look at in a moment. the second issue, controlling updates being offered by Apple, can be easily controlled by directing the client to a local software update server and only enabling the updates once they have been tested.
You can direct users to you own software update server(s) either via MCX preferences or by setting the relevant CatalogURL key in /Library/Preferences/com.apple.SoftwareUpdate.plist.
The manual approach
The first option (which is fairly labour intensive), is to download the specific update you want to target and then use the munkiimport tool to add it to the relevant Munki catalog and manifest(s).
As you can imagine, having to do this for every single update may become a little tedious, although it would give you a very high level of granular control.
Using Munki to provide Apple software updates
The second option uses the Munki Managed Software Update tool to run the Apple software updates. This setting is controlled in the /Library/Preferences/ManagedInstalls.plist file.
Firstly you configure Munki to download available Apple software updates if there are no outstanding updates on the Munki server:
sudo defaults write /Library/Preferences/ManagedInstalls InstallAppleSoftwareUpdates -bool TRUE
If you want Munki to check with a local software update server, rather than the Apple default, you add this key:
sudo defaults write /Library/Preferences/ManagedInstalls SoftwareUpdateServerURL
If no-one is logged in when the check is performed, the updates will be automatically installed, otherwise the updates will be presented to the user via the Munki Managed Software Update tool.
If you just want to be able to provide updates to non-admin users, or have the updates installed in the background (when the user is logged out), this is a really neat solution. You can even use Munki as a client only with the following key:
sudo defaults write /Library/Preferences/ManagedInstalls AppleSoftwareUpdatesOnly -bool TRUE
This will configure the Munki client to not bother checking for a server repository and just run Apple software updates.