TweetFollow Us on Twitter

MacEnterprise: Managing Software Installs with Munki

Volume Number: 26
Issue Number: 10
Column Tag: MacEnterprise

MacEnterprise: Managing Software Installs with Munki

An introduction to software deployment with Munki

By Greg Neagle, MacEnterprise.org

Introduction

Managing Mac OS X machines has many facets. Common tasks include the initial building or imaging of machines, configuration of the OS and applications for use, managing user accounts, setting and enforcing organizational policies, and inventorying hardware and software. Remotely assisting users might also come under the category of Mac management.

Another very common task is installing, updating, and removing software on deployed machines. There are some organizations that build their machines with a "golden master" image, and then never touch them again until they are reimaged, but that's a rare arrangement. For most organizations, there is a continuing need to add, update, and remove software from machines that have been deployed.

There are several commercial tools available to assist you with this task. Among these are the Casper Suite, Absolute Manage (formerly LANrev), KBox, and FileWave. There are also some free tools. Radmind, developed at the University of Michigan, is a tool to manage the contents of a filesystem. Its design allowed it also be used as a software management system, and it has enjoyed some popularity among Mac OS X administrators. I, personally, have used it for the better part of a decade to manage hundreds of Mac OS X machines.

For various reasons, a couple of years ago, I began to look at alternatives to radmind. I needed a system that did not manage the entire filesystem and allowed greater flexibility for users to decide what was installed on their machines, and I wanted a system that removed much of the tedium of adding new software to the management system. The commercial solutions mentioned earlier probably would have met my needs, but timing and finances meant that I'd have to wait a year before we could consider purchasing one of these solutions. So with a year to wait before I could possibly buy a commercial solution, I decided to try writing my own software management utility. The result is munki.

Although munki is relatively new compared to radmind and many of the commercial solutions, it has been in use at my organization for over a year, and is in use by many other organizations world-wide.

What Munki Does

Munki consists of client-side tools written largely in Python, and is available as open-source under the Apache 2 license at http://code.google.com/p/munki. The client tools run on Leopard and Snow Leopard. They require Python 2.5, and so will not run on Tiger or earlier versions of Mac OS X.

On the server side, munki can use any web server. I run my munki repository on an Xserve running Snow Leopard Server, but you can use any available modern web server on any platform. (I say "modern" because some software packages can be over 2GB in size and older web servers have problems serving files of that size.) You do not need to install any munki-specific software on the web server, but you must be able to create directories and files on the web server.

Munki can install software delivered as standard Apple packages - the same kind of packages, that when double-clicked, open in Apple's Installer.app. Munki can also install software from disk images - for example, an application delivered on a disk image that is supposed to be dragged to the Applications folder. These "drag-n-drop disk images" are easily installed by munki. Munki also knows how to install many Adobe products - specifically, it can install the Adobe CS3, CS4, and CS5 products and their updates. In many cases, munki can also remove the software it has installed.

Munki also supports "Optional Software". These are items that are made available to the users of machines your manage, who can decide for themselves whether or not they'd like any of these items installed. If they choose to install an optional software item, they can also later remove it. This feature does not require admin rights for the user, and is similar in concept to "Self Service" installs offered by the Casper Suite from JAMF Software.

Additionally, munki can update software it did not install itself. You can specify that certain software should be updated only if some version is found already installed on a user's machine.

What Munki Doesn't Do

Earlier, we mentioned that managing Mac OS X machines has many facets. Many of the commercial solutions for software deployment also provide solutions for other facets of Mac management. Munki does not. Munki focuses only on software deployment. You'll need to turn to other tools for imaging, inventory, remote assistance, and preference management. At my organization, we're using DeployStudio for imaging and Apple's Screen Sharing for remote assistance. If you've been reading this column for very long, it shouldn't come as a surprise that we're using Local MCX for preference management.

Munki Pieces

Most of the data munki needs to function is stored on a web server. Munki uses three types of data:

Installer items: these are packages or disk images containing the software to be installed. In many cases, you can use a package or disk image provided by the software vendor without having to repackage or convert the installer package in any way. For example, munki can install Firefox from the disk image that you download from http://www.mozilla.com.

Catalogs: these are lists of available software, containing metadata about the installer items. You, as the munki administrator, build these catalogs using tools provided with munki.

Manifests: A manifest is essentially a list of what software should be installed on or removed from a given machine. You could have a different manifest for every machine, or one manifest for all of your machines. Manifests can include the contents of other manifests, allowing you to group software for easy addition to client manifests. For example, you could create a manifest listing all of the software every machine in your organization must have. The manifest for a client could then include the common-software manifest, and additionally have software unique to that client.

Manifests and catalogs are stored on the web server as standard Apple plist files in text format. If you've administered Mac OS X machines, you've almost certainly encountered plist files. They are a well-understood way to store structured data in a text format. Here's an example of a simple manifest:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>catalogs</key>
   <array>
      <string>production</string>
   </array>
   <key>managed_installs</key>
   <array>
      <string>Firefox</string>
      <string>Thunderbird</string>
   </array>
</dict>
</plist>

This manifest simply tells munki to look for information about software to install in the "production" catalog, and to ensure Firefox and Thunderbird are installed. Munki then searches the production catalog for items named "Firefox" and "Thunderbird", and since we did not specify a version, it selects the items with the latest versions. Here's what it finds for Firefox:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>autoremove</key>
   <false/>
   <key>catalogs</key>
   <array>
      <string>production</string>
   </array>
   <key>installer_item_hash</key>
   <string>10ede8228c869ba4b03611b6ec750acbccf879f20ce52cb86e1baf6972f60fb0</string>
   <key>installer_item_location</key>
   <string>Firefox 3.6.10.dmg</string>
   <key>installer_item_size</key>
   <integer>18996</integer>
   <key>installer_type</key>
   <string>copy_from_dmg</string>
   <key>installs</key>
   <array>
      <dict>
         <key>CFBundleIdentifier</key>
         <string>org.mozilla.firefox</string>
         <key>CFBundleName</key>
         <string>Firefox</string>
         <key>CFBundleShortVersionString</key>
         <string>3.6.10</string>
         <key>path</key>
         <string>/Applications/Firefox.app</string>
         <key>type</key>
         <string>application</string>
      </dict>
   </array>
   <key>items_to_copy</key>
   <array>
      <dict>
         <key>destination_path</key>
         <string>/Applications</string>
         <key>source_item</key>
         <string>Firefox.app</string>
      </dict>
   </array>
   <key>minimum_os_version</key>
   <string>10.4.0</string>
   <key>name</key>
   <string>Firefox</string>
   <key>uninstall_method</key>
   <string>remove_copied_items</string>
   <key>uninstallable</key>
   <true/>
   <key>version</key>
   <string>3.6.10.0.0</string>
</dict>
</plist>

At this point, you might be intimidated by the complexity of this information. But don't worry, it's very easy to generate this info with tools that are part of munki, and we'll cover that in the future. The information might look less intimidating if I were to remove the plist overhead and present a subset of the information as a simple table. Look at Table 1 for the result.


Table 1 - munki's information about an installer item

Let's look at parts of the information that munki found about Firefox.

The most important field is name. Here it is "Firefox", which matches the name in the managed_installs list in the manifest. When looking for information about a managed install, munki searches the catalogs for items matching the name given. If no version is given, it selects the item with the highest version it finds. Here the version is "3.6.10.0.0".

Once it has found information on the item to be installed, munki checks to see if the item has already been installed. Munki can do this one of two ways. If the item to be installed is installed via an Apple package, munki can check for the receipts left when a package is installed. But software that is not installed via an Apple package does not leave a receipt. And even for items that come in package format, it is possible for software to be removed (for example, by dragging an application to the trash) while leaving the receipt in place. So munki has a second method is can use to determine if an item has been installed, the installs list. For our Firefox example, here is that list:

   
  <key>installs</key>
   <array>
      <dict>
         <key>CFBundleIdentifier</key>
         <string>org.mozilla.firefox</string>
         <key>CFBundleName</key>
         <string>Firefox</string>
         <key>CFBundleShortVersionString</key>
         <string>3.6.10</string>
         <key>path</key>
         <string>/Applications/Firefox.app</string>
         <key>type</key>
         <string>application</string>
      </dict>
   </array>

A simplified version of the installs data is shown in Table 2: Installs data for Firefox 3.6.10

Installs:   
   Type:    application   
   Identifier:   org.mozilla.firefox   
   Name:    Firefox   
   Version:   3.6.10   
   Path:    /Applications/Firefox.app   

Table 2 - Installs data for Firefox 3.6.10

In this example, the installs list contains a single item. This item contains information about the Firefox application itself. Most importantly, it has the name, version and pathname for the application. Munki can then use this information to determine if Firefox is installed, and if so, compare the version of the installed application to the one defined in the catalog information about Firefox. (Munki can often find the application even if it has been moved from its normal location by using System Profiler data and the name and identifier.)

If Firefox isn't found, or the version of the installed Firefox is lower than the version described by the catalog information, munki decides that Firefox needs to be installed and downloads the disk image file containing Firefox, using information from the installer_item_location field. If we were using the sample manifest shown earlier, the check would be repeated for Thunderbird.

Let us assume that munki found that Firefox was out-of-date, but the current version of Thunderbird was installed. After downloading the disk image for Firefox 3.6.10, munki would alert the user of available updates using the Managed Software Update application, shown in Figure 1.


Figure 1 - Managed Software Update.app

As you can see, Managed Software Update.app is designed to closely resemble Apple's Software Update application so that users might quickly grasp its purpose and how to use it. Unlike Apple's Software Update application, users do not need administrative rights to install software using this application. If the user clicks Update now, munki will install Firefox 3.6.10 without an administrative prompt. The next time munki checks, it will find that Firefox is installed and not attempt to install it again.

The installs list also bestows munki with another feature: automatic repair. If a user (with administrative rights) were to remove Firefox (by accident or on purpose), munki will notice and reinstall the application. For more complex software installs, munki can check for the existence of multiple items - not only applications, but other filesystem items as well. If any of the items in the installs list are missing or out of date, a reinstall is triggered.

To remove a software item from a machine, you'd edit the manifest for the machine, moving the item from the managed_installs list to the managed_uninstalls list. If we wanted to remove Firefox, the edited manifest might look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>catalogs</key>
   <array>
      <string>testing</string>
   </array>
   <key>managed_installs</key>
   <array>
      <string>Thunderbird</string>
   </array>
   <key>managed_uninstalls</key>
   <array>
      <string>Firefox</string>
   </array>
</dict>
</plist>
This time we'll run munki from the command line:
>/usr/local/munki/managedsoftwareupdate
Managed Software Update Tool
Copyright 2010 The Munki Project
http://code.google.com/p/munki
The following items will be removed:
    - Firefox
Run managedsoftwareupdate —installonly to install the downloaded updates.

Munki sees Firefox in the list of managed_uninstalls, and uses the information in the installs array we discussed earlier to determine that Firefox is installed. Munki then schedules Firefox for removal. From the GUI, the scheduled task looks like Figure 2.


Figure 2 - Software removal

In the interface presented to the user, details about software removals are hidden by default (though the administrator can override this if he or she would like). This is to discourage users from deferring updates indefinitely because they don't want a certain application removed.

Munki Behaviors

This is a good time to discuss a major part of munki's design. Munki is designed to be polite. It never installs anything under a currently active user session without the user's approval. If no one is logged in, munki will by default install or remove software automatically, hiding the loginwindow and presenting a status window. If a user is logged in, munki notifies the user of updates and allows the user to either update right away or defer the update until later. Munki also handles multiple user logins (via Fast User Switching) gracefully and will not install items if more than one user is logged in (as doing so could cause switched-out users to lose work).

Administrators can customize these behaviors, configuring munki to never bother the user with available updates (therefore waiting to install all updates when no user is logged in), or the inverse - telling munki to never automatically install software when at the loginwindow, and instead always requiring user consent for all updates. Administrators cannot, however, easily configure munki to force an install or removal while users are logged in.

To Be Continued...

This month, we've presented a basic introduction to munki, an open-source utility for managing software installs, updates and removals on Mac OS X machines. Next time, we'll dive a little deeper and set up a proof-of-concept installation of munki on a standalone machine. This will include both the munki client tools and a working munki server. We'll then explore more of the munki toolset and look at creating munki catalogs - the listings of available software munki uses to determine if a piece of software needs to be installed or removed, and if so, how to complete the installation or removal.

In the meantime, if this month's column has piqued your interest, be sure to check out the resources available on the munki Google Code website at http://code.google.com/p/munki, and browse the archives of the munki-dev Google Group at http://groups.google.com/group/munki-dev. Until next month, have fun munki-ing around!


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Dropbox 193.4.5594 - Cloud backup and sy...
Dropbox is a file hosting service that provides cloud storage, file synchronization, personal cloud, and client software. It is a modern workspace that allows you to get to all of your files, manage... Read more
Google Chrome 122.0.6261.57 - Modern and...
Google Chrome is a Web browser by Google, created to be a modern platform for Web pages and applications. It utilizes very fast loading of Web pages and has a V8 engine, which is a custom built... Read more
Skype 8.113.0.210 - Voice-over-internet...
Skype is a telecommunications app that provides HD video calls, instant messaging, calling to any phone number or landline, and Skype for Business for productive cooperation on the projects. This... Read more
Tor Browser 13.0.10 - Anonymize Web brow...
Using Tor Browser you can protect yourself against tracking, surveillance, and censorship. Tor was originally designed, implemented, and deployed as a third-generation onion-routing project of the U.... Read more
Deeper 3.0.4 - Enable hidden features in...
Deeper is a personalization utility for macOS which allows you to enable and disable the hidden functions of the Finder, Dock, QuickTime, Safari, iTunes, login window, Spotlight, and many of Apple's... Read more
OnyX 4.5.5 - Maintenance and optimizatio...
OnyX is a multifunction utility that you can use to verify the startup disk and the structure of its system files, to run miscellaneous maintenance and cleaning tasks, to configure parameters in the... Read more
Hopper Disassembler 5.14.1 - Binary disa...
Hopper Disassembler is a binary disassembler, decompiler, and debugger for 32- and 64-bit executables. It will let you disassemble any binary you want, and provide you all the information about its... Read more
WhatsApp 24.3.78 - Desktop client for Wh...
WhatsApp is the desktop client for WhatsApp Messenger, a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. WhatsApp Messenger is available for... Read more
War Thunder 2.33.0.135 - Multiplayer war...
In War Thunder, aircraft, attack helicopters, ground forces and naval ships collaborate in realistic competitive battles. You can choose from over 1,500 vehicles and an extensive variety of combat... Read more
Iridient Developer 4.2 - Powerful image-...
Iridient Developer (was RAW Developer) is a powerful image-conversion application designed specifically for OS X. Iridient Developer gives advanced photographers total control over every aspect of... Read more

Latest Forum Discussions

See All

Best iPhone Game Updates: ‘Shoot the Moo...
Hello everyone, and welcome to the week! It’s time once again for our look back at the noteworthy updates of the last seven days. It feels like a bit of a dry spell this week, at least in terms of really interesting updates. I mean, I found some... | Read more »
Celebrate Phobies spooky second annivers...
Get ready to have that classic song stuck in your head, as Phobies celebrates its second anniversary with the release of its latest update; Birthday Bash, Monster Mash. Starting March 5th and lasting for four weeks, it will be a month of... | Read more »
‘Dissidia Final Fantasy Opera Omnia’ Sto...
Square Enix finally shut down Dissidia Final Fantasy Opera Omnia (Free) on iOS and Android last week following the end of service announcement back in November last year. Following the game shutting down, Square Enix | Read more »
‘Monster Hunter Now’ Is Celebrating the...
Niantic and Capcom have begun celebrating the 20th anniversary of Capcom’s best franchise from today inside Monster Hunter Now (Free) on iOS and Android for a limited time. | Read more »
New ‘Warframe Mobile’ Update Adds 60fps...
Warframe Mobile (Free) launched worldwide on iOS just under two weeks ago. I’ve been playing it for review across multiple iOS devices, but have also been picking it up on Steam Deck and Switch to compare. Right from launch, I was impressed with... | Read more »
Passionate About Fidget Toys – The Touch...
In this week’s episode of The TouchArcade Show we kick things off with some passionate discussion about… fidget toys? For some reason? We quickly change gears to talk about the card-based rogulike Balatro, which we’ve both been playing and enjoying... | Read more »
TouchArcade Game of the Week: ‘Flying Ta...
For me Hexage is one of those developers that harkens back to the early days of the App Store and really the beginnings of iPhone gaming. I have spent many collective hours playing the likes of Totemo, Radiant, Radiant Defense, EVAC, Reaper… the... | Read more »
SwitchArcade Round-Up: ‘Ufouria 2: The S...
Hello gentle readers, and welcome to the SwitchArcade Round-Up for March 1st, 2024. In today’s article, we’re looking at the remaining releases of the week. There are a few really good ones today, but the bin bunch certainly isn’t going home hungry... | Read more »
Steam Deck Weekly: Reviews of PowerWash...
Welcome to the first Steam Deck Weekly of March and this week’s edition is bigger than usual. I was a bit unwell last week and had to push some reviews to this week. Alongside that, there have been many notable announcements, releases, and new Steam... | Read more »
10 Under $10: Ten Cheap, Good Nintendo S...
Hello, friends. It’s time yet again for a list of good Nintendo Switch games for reasonable prices. This time around, we’re wading into the extremely crowded waters of the shoot-em-up genre. Per the usual rules, the regular price of the game has to... | Read more »

Price Scanner via MacPrices.net

Apple discontinues 15-inch M2 MacBook Airs, d...
With today’s introduction of new M3-powered 15″ MacBook Airs, Apple has dropped prices on clearance, Certified Refurbished, 15″ M2 MacBook Airs to a new low of $1019. These are the cheapest 15″... Read more
Price Drop! 13-inch M2 MacBook Airs at Apple...
Apple has dropped prices on Certified Refurbished 13″ M2 MacBook Airs to a new low of $849. These are the cheapest M2-powered MacBooks for sale at Apple. Apple’s one-year warranty is included,... Read more
Apple finally discontinues the 13-inch M1 Mac...
With the introduction of M3-powered 13″ MacBook Airs today, Apple has dropped prices on clearance 13″ M1 MacBook Airs, Certified Refurbished, to $759 for 8-Core CPU/7-Core GPU/256GB models and $929... Read more
Updated Apple iPad Price Trackers
Our Apple award-winning iPad Price Trackers are the best place to find the latest information on iPad sales and deals. We track prices from 20+ Apple retailers, including Apple, Amazon, Best Buy,... Read more
Updated Apple MacBook Price Trackers
Our Apple award-winning MacBook Price Trackers are continually updated with the latest information on prices, bundles, and availability for 16″, 14″, and (recently-discontinued) 13″ MacBook Pros... Read more
Mac Studios with Apple M2 Max and M2 Ultra CP...
B&H Photo has the standard-configuration Mac Studio model with Apple’s M2 Ultra CPU in stock today and on sale for $300 off MSRP, now $3699 (24-Core CPU and 64GB RAM/1TB SSD). B&H Photo has... Read more
Extended: Switch to Verizon and get the Apple...
Verizon has the iPhone 15 on sale for $0 per month when you add a new line if service. Discount is applied to your account monthly over a 36 month term and is valid for the 128GB model. For the first... Read more
Select 16-inch M3 Pro and M3 Max MacBook Pros...
B&H Photo has select 16-inch M3 Pro and M3 Max MacBook Pros on sale for $250 off MSRP. Their prices are the lowest currently available for these configurations. Free 1-2 day shipping is available... Read more
27-inch Apple Studio Displays on sale for $10...
B&H Photo has 27″ Apple Studio Displays on sale for $100 off MSRP today. Free 1-2 day shipping is available to most US addresses: – Studio Display (Standard glass, Tilt stand): $1499 $100 off... Read more
iPad Airs return to their all-time lowest pri...
Best Buy has 10.9″ M1 WiFi iPad Airs on record-low sale prices again for $150 off Apple’s MSRP, starting at $449. Sale prices for online orders only, in-store price may vary. Order online, and choose... Read more

Jobs Board

Teller Part Time *Apple* Valley MN *Apple*...
…is not eligible for Visa sponsorship **Posting Location:** + 15574 Pilot Knod Road Apple Valley, MN 55124 @RWF22 **Posting End Date:** Job posting may come down Read more
*Apple* End User Support Specialist - North...
…that they are performed. + Responsible for support of all College owned Apple computers, mobile ios devices, and peripherals, and for diagnosing and resolving Read more
Omnichannel Associate - *Apple* Blossom Mal...
Omnichannel Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Teller Part Time *Apple* Valley MN *Apple*...
…is not eligible for Visa sponsorship **Posting Location:** + 15574 Pilot Knod Road Apple Valley, MN 55124 @RWF22 **Posting End Date:** Job posting may come down Read more
Nurse Anesthetist - *Apple* Hill Surgery Ce...
Nurse Anesthetist - Apple Hill Surgery Center WellSpan Medical Group, York, PA | Advanced Practice Providers | Certified Registered Nurse Anesthetists | FTE: 1 | Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.