TweetFollow Us on Twitter

MacEnterprise: Managing Software Installs with Munki

Volume Number: 26
Issue Number: 10
Column Tag: MacEnterprise

MacEnterprise: Managing Software Installs with Munki

An introduction to software deployment with Munki

By Greg Neagle, MacEnterprise.org

Introduction

Managing Mac OS X machines has many facets. Common tasks include the initial building or imaging of machines, configuration of the OS and applications for use, managing user accounts, setting and enforcing organizational policies, and inventorying hardware and software. Remotely assisting users might also come under the category of Mac management.

Another very common task is installing, updating, and removing software on deployed machines. There are some organizations that build their machines with a "golden master" image, and then never touch them again until they are reimaged, but that's a rare arrangement. For most organizations, there is a continuing need to add, update, and remove software from machines that have been deployed.

There are several commercial tools available to assist you with this task. Among these are the Casper Suite, Absolute Manage (formerly LANrev), KBox, and FileWave. There are also some free tools. Radmind, developed at the University of Michigan, is a tool to manage the contents of a filesystem. Its design allowed it also be used as a software management system, and it has enjoyed some popularity among Mac OS X administrators. I, personally, have used it for the better part of a decade to manage hundreds of Mac OS X machines.

For various reasons, a couple of years ago, I began to look at alternatives to radmind. I needed a system that did not manage the entire filesystem and allowed greater flexibility for users to decide what was installed on their machines, and I wanted a system that removed much of the tedium of adding new software to the management system. The commercial solutions mentioned earlier probably would have met my needs, but timing and finances meant that I'd have to wait a year before we could consider purchasing one of these solutions. So with a year to wait before I could possibly buy a commercial solution, I decided to try writing my own software management utility. The result is munki.

Although munki is relatively new compared to radmind and many of the commercial solutions, it has been in use at my organization for over a year, and is in use by many other organizations world-wide.

What Munki Does

Munki consists of client-side tools written largely in Python, and is available as open-source under the Apache 2 license at http://code.google.com/p/munki. The client tools run on Leopard and Snow Leopard. They require Python 2.5, and so will not run on Tiger or earlier versions of Mac OS X.

On the server side, munki can use any web server. I run my munki repository on an Xserve running Snow Leopard Server, but you can use any available modern web server on any platform. (I say "modern" because some software packages can be over 2GB in size and older web servers have problems serving files of that size.) You do not need to install any munki-specific software on the web server, but you must be able to create directories and files on the web server.

Munki can install software delivered as standard Apple packages - the same kind of packages, that when double-clicked, open in Apple's Installer.app. Munki can also install software from disk images - for example, an application delivered on a disk image that is supposed to be dragged to the Applications folder. These "drag-n-drop disk images" are easily installed by munki. Munki also knows how to install many Adobe products - specifically, it can install the Adobe CS3, CS4, and CS5 products and their updates. In many cases, munki can also remove the software it has installed.

Munki also supports "Optional Software". These are items that are made available to the users of machines your manage, who can decide for themselves whether or not they'd like any of these items installed. If they choose to install an optional software item, they can also later remove it. This feature does not require admin rights for the user, and is similar in concept to "Self Service" installs offered by the Casper Suite from JAMF Software.

Additionally, munki can update software it did not install itself. You can specify that certain software should be updated only if some version is found already installed on a user's machine.

What Munki Doesn't Do

Earlier, we mentioned that managing Mac OS X machines has many facets. Many of the commercial solutions for software deployment also provide solutions for other facets of Mac management. Munki does not. Munki focuses only on software deployment. You'll need to turn to other tools for imaging, inventory, remote assistance, and preference management. At my organization, we're using DeployStudio for imaging and Apple's Screen Sharing for remote assistance. If you've been reading this column for very long, it shouldn't come as a surprise that we're using Local MCX for preference management.

Munki Pieces

Most of the data munki needs to function is stored on a web server. Munki uses three types of data:

Installer items: these are packages or disk images containing the software to be installed. In many cases, you can use a package or disk image provided by the software vendor without having to repackage or convert the installer package in any way. For example, munki can install Firefox from the disk image that you download from http://www.mozilla.com.

Catalogs: these are lists of available software, containing metadata about the installer items. You, as the munki administrator, build these catalogs using tools provided with munki.

Manifests: A manifest is essentially a list of what software should be installed on or removed from a given machine. You could have a different manifest for every machine, or one manifest for all of your machines. Manifests can include the contents of other manifests, allowing you to group software for easy addition to client manifests. For example, you could create a manifest listing all of the software every machine in your organization must have. The manifest for a client could then include the common-software manifest, and additionally have software unique to that client.

Manifests and catalogs are stored on the web server as standard Apple plist files in text format. If you've administered Mac OS X machines, you've almost certainly encountered plist files. They are a well-understood way to store structured data in a text format. Here's an example of a simple manifest:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>catalogs</key>
   <array>
      <string>production</string>
   </array>
   <key>managed_installs</key>
   <array>
      <string>Firefox</string>
      <string>Thunderbird</string>
   </array>
</dict>
</plist>

This manifest simply tells munki to look for information about software to install in the "production" catalog, and to ensure Firefox and Thunderbird are installed. Munki then searches the production catalog for items named "Firefox" and "Thunderbird", and since we did not specify a version, it selects the items with the latest versions. Here's what it finds for Firefox:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>autoremove</key>
   <false/>
   <key>catalogs</key>
   <array>
      <string>production</string>
   </array>
   <key>installer_item_hash</key>
   <string>10ede8228c869ba4b03611b6ec750acbccf879f20ce52cb86e1baf6972f60fb0</string>
   <key>installer_item_location</key>
   <string>Firefox 3.6.10.dmg</string>
   <key>installer_item_size</key>
   <integer>18996</integer>
   <key>installer_type</key>
   <string>copy_from_dmg</string>
   <key>installs</key>
   <array>
      <dict>
         <key>CFBundleIdentifier</key>
         <string>org.mozilla.firefox</string>
         <key>CFBundleName</key>
         <string>Firefox</string>
         <key>CFBundleShortVersionString</key>
         <string>3.6.10</string>
         <key>path</key>
         <string>/Applications/Firefox.app</string>
         <key>type</key>
         <string>application</string>
      </dict>
   </array>
   <key>items_to_copy</key>
   <array>
      <dict>
         <key>destination_path</key>
         <string>/Applications</string>
         <key>source_item</key>
         <string>Firefox.app</string>
      </dict>
   </array>
   <key>minimum_os_version</key>
   <string>10.4.0</string>
   <key>name</key>
   <string>Firefox</string>
   <key>uninstall_method</key>
   <string>remove_copied_items</string>
   <key>uninstallable</key>
   <true/>
   <key>version</key>
   <string>3.6.10.0.0</string>
</dict>
</plist>

At this point, you might be intimidated by the complexity of this information. But don't worry, it's very easy to generate this info with tools that are part of munki, and we'll cover that in the future. The information might look less intimidating if I were to remove the plist overhead and present a subset of the information as a simple table. Look at Table 1 for the result.


Table 1 - munki's information about an installer item

Let's look at parts of the information that munki found about Firefox.

The most important field is name. Here it is "Firefox", which matches the name in the managed_installs list in the manifest. When looking for information about a managed install, munki searches the catalogs for items matching the name given. If no version is given, it selects the item with the highest version it finds. Here the version is "3.6.10.0.0".

Once it has found information on the item to be installed, munki checks to see if the item has already been installed. Munki can do this one of two ways. If the item to be installed is installed via an Apple package, munki can check for the receipts left when a package is installed. But software that is not installed via an Apple package does not leave a receipt. And even for items that come in package format, it is possible for software to be removed (for example, by dragging an application to the trash) while leaving the receipt in place. So munki has a second method is can use to determine if an item has been installed, the installs list. For our Firefox example, here is that list:

   
  <key>installs</key>
   <array>
      <dict>
         <key>CFBundleIdentifier</key>
         <string>org.mozilla.firefox</string>
         <key>CFBundleName</key>
         <string>Firefox</string>
         <key>CFBundleShortVersionString</key>
         <string>3.6.10</string>
         <key>path</key>
         <string>/Applications/Firefox.app</string>
         <key>type</key>
         <string>application</string>
      </dict>
   </array>

A simplified version of the installs data is shown in Table 2: Installs data for Firefox 3.6.10

Installs:   
   Type:    application   
   Identifier:   org.mozilla.firefox   
   Name:    Firefox   
   Version:   3.6.10   
   Path:    /Applications/Firefox.app   

Table 2 - Installs data for Firefox 3.6.10

In this example, the installs list contains a single item. This item contains information about the Firefox application itself. Most importantly, it has the name, version and pathname for the application. Munki can then use this information to determine if Firefox is installed, and if so, compare the version of the installed application to the one defined in the catalog information about Firefox. (Munki can often find the application even if it has been moved from its normal location by using System Profiler data and the name and identifier.)

If Firefox isn't found, or the version of the installed Firefox is lower than the version described by the catalog information, munki decides that Firefox needs to be installed and downloads the disk image file containing Firefox, using information from the installer_item_location field. If we were using the sample manifest shown earlier, the check would be repeated for Thunderbird.

Let us assume that munki found that Firefox was out-of-date, but the current version of Thunderbird was installed. After downloading the disk image for Firefox 3.6.10, munki would alert the user of available updates using the Managed Software Update application, shown in Figure 1.


Figure 1 - Managed Software Update.app

As you can see, Managed Software Update.app is designed to closely resemble Apple's Software Update application so that users might quickly grasp its purpose and how to use it. Unlike Apple's Software Update application, users do not need administrative rights to install software using this application. If the user clicks Update now, munki will install Firefox 3.6.10 without an administrative prompt. The next time munki checks, it will find that Firefox is installed and not attempt to install it again.

The installs list also bestows munki with another feature: automatic repair. If a user (with administrative rights) were to remove Firefox (by accident or on purpose), munki will notice and reinstall the application. For more complex software installs, munki can check for the existence of multiple items - not only applications, but other filesystem items as well. If any of the items in the installs list are missing or out of date, a reinstall is triggered.

To remove a software item from a machine, you'd edit the manifest for the machine, moving the item from the managed_installs list to the managed_uninstalls list. If we wanted to remove Firefox, the edited manifest might look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>catalogs</key>
   <array>
      <string>testing</string>
   </array>
   <key>managed_installs</key>
   <array>
      <string>Thunderbird</string>
   </array>
   <key>managed_uninstalls</key>
   <array>
      <string>Firefox</string>
   </array>
</dict>
</plist>
This time we'll run munki from the command line:
>/usr/local/munki/managedsoftwareupdate
Managed Software Update Tool
Copyright 2010 The Munki Project
http://code.google.com/p/munki
The following items will be removed:
    - Firefox
Run managedsoftwareupdate —installonly to install the downloaded updates.

Munki sees Firefox in the list of managed_uninstalls, and uses the information in the installs array we discussed earlier to determine that Firefox is installed. Munki then schedules Firefox for removal. From the GUI, the scheduled task looks like Figure 2.


Figure 2 - Software removal

In the interface presented to the user, details about software removals are hidden by default (though the administrator can override this if he or she would like). This is to discourage users from deferring updates indefinitely because they don't want a certain application removed.

Munki Behaviors

This is a good time to discuss a major part of munki's design. Munki is designed to be polite. It never installs anything under a currently active user session without the user's approval. If no one is logged in, munki will by default install or remove software automatically, hiding the loginwindow and presenting a status window. If a user is logged in, munki notifies the user of updates and allows the user to either update right away or defer the update until later. Munki also handles multiple user logins (via Fast User Switching) gracefully and will not install items if more than one user is logged in (as doing so could cause switched-out users to lose work).

Administrators can customize these behaviors, configuring munki to never bother the user with available updates (therefore waiting to install all updates when no user is logged in), or the inverse - telling munki to never automatically install software when at the loginwindow, and instead always requiring user consent for all updates. Administrators cannot, however, easily configure munki to force an install or removal while users are logged in.

To Be Continued...

This month, we've presented a basic introduction to munki, an open-source utility for managing software installs, updates and removals on Mac OS X machines. Next time, we'll dive a little deeper and set up a proof-of-concept installation of munki on a standalone machine. This will include both the munki client tools and a working munki server. We'll then explore more of the munki toolset and look at creating munki catalogs - the listings of available software munki uses to determine if a piece of software needs to be installed or removed, and if so, how to complete the installation or removal.

In the meantime, if this month's column has piqued your interest, be sure to check out the resources available on the munki Google Code website at http://code.google.com/p/munki, and browse the archives of the munki-dev Google Group at http://groups.google.com/group/munki-dev. Until next month, have fun munki-ing around!


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Summon your guild and prepare for war in...
Netmarble is making some pretty big moves with their latest update for Seven Knights Idle Adventure, with a bunch of interesting additions. Two new heroes enter the battle, there are events and bosses abound, and perhaps most interesting, a huge... | Read more »
Make the passage of time your plaything...
While some of us are still waiting for a chance to get our hands on Ash Prime - yes, don’t remind me I could currently buy him this month I’m barely hanging on - Digital Extremes has announced its next anticipated Prime Form for Warframe. Starting... | Read more »
If you can find it and fit through the d...
The holy trinity of amazing company names have come together, to release their equally amazing and adorable mobile game, Hamster Inn. Published by HyperBeard Games, and co-developed by Mum Not Proud and Little Sasquatch Studios, it's time to... | Read more »
Amikin Survival opens for pre-orders on...
Join me on the wonderful trip down the inspiration rabbit hole; much as Palworld seemingly “borrowed” many aspects from the hit Pokemon franchise, it is time for the heavily armed animal survival to also spawn some illegitimate children as Helio... | Read more »
PUBG Mobile teams up with global phenome...
Since launching in 2019, SpyxFamily has exploded to damn near catastrophic popularity, so it was only a matter of time before a mobile game snapped up a collaboration. Enter PUBG Mobile. Until May 12th, players will be able to collect a host of... | Read more »
Embark into the frozen tundra of certain...
Chucklefish, developers of hit action-adventure sandbox game Starbound and owner of one of the cutest logos in gaming, has released their roguelike deck-builder Wildfrost. Created alongside developers Gaziter and Deadpan Games, Wildfrost will... | Read more »
MoreFun Studios has announced Season 4,...
Tension has escalated in the ever-volatile world of Arena Breakout, as your old pal Randall Fisher and bosses Fred and Perrero continue to lob insults and explosives at each other, bringing us to a new phase of warfare. Season 4, Into The Fog of... | Read more »
Top Mobile Game Discounts
Every day, we pick out a curated list of the best mobile discounts on the App Store and post them here. This list won't be comprehensive, but it every game on it is recommended. Feel free to check out the coverage we did on them in the links below... | Read more »
Marvel Future Fight celebrates nine year...
Announced alongside an advertising image I can only assume was aimed squarely at myself with the prominent Deadpool and Odin featured on it, Netmarble has revealed their celebrations for the 9th anniversary of Marvel Future Fight. The Countdown... | Read more »
HoYoFair 2024 prepares to showcase over...
To say Genshin Impact took the world by storm when it was released would be an understatement. However, I think the most surprising part of the launch was just how much further it went than gaming. There have been concerts, art shows, massive... | Read more »

Price Scanner via MacPrices.net

Amazon is offering a $100 discount on every M...
Amazon is offering a $100 instant discount on each configuration of Apple’s new 13″ M3 MacBook Air, in Midnight, this weekend. These are the lowest prices currently available for new 13″ M3 MacBook... Read more
You can save $300-$480 on a 14-inch M3 Pro/Ma...
Apple has 14″ M3 Pro and M3 Max MacBook Pros in stock today and available, Certified Refurbished, starting at $1699 and ranging up to $480 off MSRP. Each model features a new outer case, shipping is... Read more
24-inch M1 iMacs available at Apple starting...
Apple has clearance M1 iMacs available in their Certified Refurbished store starting at $1049 and ranging up to $300 off original MSRP. Each iMac is in like-new condition and comes with Apple’s... Read more
Walmart continues to offer $699 13-inch M1 Ma...
Walmart continues to offer new Apple 13″ M1 MacBook Airs (8GB RAM, 256GB SSD) online for $699, $300 off original MSRP, in Space Gray, Silver, and Gold colors. These are new MacBook for sale by... Read more
B&H has 13-inch M2 MacBook Airs with 16GB...
B&H Photo has 13″ MacBook Airs with M2 CPUs, 16GB of memory, and 256GB of storage in stock and on sale for $1099, $100 off Apple’s MSRP for this configuration. Free 1-2 day delivery is available... Read more
14-inch M3 MacBook Pro with 16GB of RAM avail...
Apple has the 14″ M3 MacBook Pro with 16GB of RAM and 1TB of storage, Certified Refurbished, available for $300 off MSRP. Each MacBook Pro features a new outer case, shipping is free, and an Apple 1-... Read more
Apple M2 Mac minis on sale for up to $150 off...
Amazon has Apple’s M2-powered Mac minis in stock and on sale for $100-$150 off MSRP, each including free delivery: – Mac mini M2/256GB SSD: $499, save $100 – Mac mini M2/512GB SSD: $699, save $100 –... Read more
Amazon is offering a $200 discount on 14-inch...
Amazon has 14-inch M3 MacBook Pros in stock and on sale for $200 off MSRP. Shipping is free. Note that Amazon’s stock tends to come and go: – 14″ M3 MacBook Pro (8GB RAM/512GB SSD): $1399.99, $200... Read more
Sunday Sale: 13-inch M3 MacBook Air for $999,...
Several Apple retailers have the new 13″ MacBook Air with an M3 CPU in stock and on sale today for only $999 in Midnight. These are the lowest prices currently available for new 13″ M3 MacBook Airs... Read more
Multiple Apple retailers are offering 13-inch...
Several Apple retailers have 13″ MacBook Airs with M2 CPUs in stock and on sale this weekend starting at only $849 in Space Gray, Silver, Starlight, and Midnight colors. These are the lowest prices... Read more

Jobs Board

Relationship Banker - *Apple* Valley Financ...
Relationship Banker - Apple Valley Financial Center APPLE VALLEY, Minnesota **Job Description:** At Bank of America, we are guided by a common purpose to help Read more
IN6728 Optometrist- *Apple* Valley, CA- Tar...
Date: Apr 9, 2024 Brand: Target Optical Location: Apple Valley, CA, US, 92308 **Requisition ID:** 824398 At Target Optical, we help people see and look great - and Read more
Medical Assistant - Orthopedics *Apple* Hil...
Medical Assistant - Orthopedics Apple Hill York Location: WellSpan Medical Group, York, PA Schedule: Full Time Sign-On Bonus Eligible Remote/Hybrid Regular Apply Now Read more
*Apple* Systems Administrator - JAMF - Activ...
…**Public Trust/Other Required:** None **Job Family:** Systems Administration **Skills:** Apple Platforms,Computer Servers,Jamf Pro **Experience:** 3 + years of Read more
Liquor Stock Clerk - S. *Apple* St. - Idaho...
Liquor Stock Clerk - S. Apple St. Boise Posting Begin Date: 2023/10/10 Posting End Date: 2024/10/14 Category: Retail Sub Category: Customer Service Work Type: Part Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.