Regardless of how much (or whether at all) you make use of Munki's
great self-service features, even if you _only_ consider how
well-thought out its handling of installation and removals are - the
ability to control how it does or doesn't interact with the user,
handles logouts and restarts well, its built-in mechanisms for
detecting running applications and installing only when it's safe to
do so, very robust and seamless handling of Apple updates and Adobe
installers, and almost never a need to repackage a vendor installer -
CM systems like those you mention simply don't have the Mac-specific
support required to handle these features, and they will never be able
to because they aren't designed to manage desktop OSes.
Puppet seems to have the most inertia in terms of some Mac support,
but the support in core modules is _very_ dated at this point and the
community support seems to be largely thanks to very few maintained
modules such as Brian Warsing's
(
http://dayglojesus.github.io/managedmac). Chef has some limited
support and the others can do on a Mac the typical UNIX stuff:
template files on disk, enforce permissions, users, sudoers, etc. So
for wherever you want to "configuration manage," you can use these
tools to some effect and probably more effectively than using Munki,
but you'll also find they're of limited use simply due to the range of
things which might need to be configured.
More and more of these CM 'tasks' are best handled using Configuration
Profiles, and Munki actually has good built-in support for these. I've
been able to get by using Munki as my "configuration management"
system instead of implementing another tool, just because the things I
would use Puppet for only account for about 5% of the items in my
repository - the rest are installers for software, updates,
configuration profiles and supporting LaunchAgents/LaunchDaemons.
Since Munki is the best package installer and I ship most of these
things in the form of installer packages (or vendor apps in disk
images), it makes sense to just have Munki do some of the work that
might be better suited to something like Puppet (like 'enforcing' a
firewall configuration, for example).
If you had a desire to use another system just to handle the
"layering" of client configurations (Hiera, for example) it's entirely
feasible to do more dynamic configuration of clients with some added
server-side code as well.
Tim