Munki 2.2 Release Candidate 1

239 views
Skip to first unread message

Gregory Neagle

unread,
Jan 13, 2015, 10:06:28 AM1/13/15
to munk...@googlegroups.com
https://github.com/munki/munki/releases/tag/v2.2.0.2365

This is Release Candidate 1 of Munki 2.2.

Munki 2.2 adds "native" support for configuration profiles. Instead of having to wrap a configuration profile in a package to be able to deploy with Munki, Munki now supports configuration profiles as an item it knows how to install and remove without "wrapping".

Use munkiimport /path/to/some.mobileconfig to import a .mobileconfig file into your Munki repo. From there, you can treat it in manifests as you would any other piece of software -- you can add it to managed_installs, managed_uninstalls, optional_installs, etc.

-Greg

Patrick McNeal

unread,
Jan 14, 2015, 1:10:49 PM1/14/15
to munk...@googlegroups.com
Is there a preferred munki/autopkg way to create configuration profiles? Say, one that's particularly version control and automation friendly?


--
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Gregory Neagle

unread,
Jan 14, 2015, 1:17:18 PM1/14/15
to munk...@googlegroups.com
Not really.

Unsigned configuration profiles are just plist (text) files, so they are pretty easy to version control in Git, for example.
Signed and/or encrypted profiles are encoded, so they are harder to version control.

As for creating configuration profiles, I use three primary tools: 

- Profile Manager running on OS X Server running in a virtual machine; I spin up the VM as needed.
- Tim Sutton's mcxToProfile tool to convert existing MCX and/or preferences plists: https://github.com/timsutton/mcxToProfile
- A text editor (TextMate currently) to edit profiles to be more surgical/specific -- Profile Manager profiles tend to affect too much out of the box, and using existing preferences plists with mcxToProfile tends to pick up extra preference keys as well. I use a text editor to remove all the detritus.

-Greg

Gregory Neagle

unread,
Jan 14, 2015, 1:30:59 PM1/14/15
to munk...@googlegroups.com
On Jan 14, 2015, at 10:17 AM, Gregory Neagle <gregn...@mac.com> wrote:

Unsigned configuration profiles are just plist (text) files, so they are pretty easy to version control in Git, for example.

jtr...@gmail.com

unread,
Jan 16, 2015, 2:19:55 PM1/16/15
to munk...@googlegroups.com
I am testing configuration profile deployment with Munki build 2.2.0.2365.

I have one configuration profile imported and added to the managed_installs array in the manifest. In Managed Software Center in my test VM I can see the pending profile install under Updates. If I click UPDATE, then the profile is successfully installed (according to the Munki log and by looking at Profiles in System Preferences) however the MSC GUI still lists it as a pending update. I have to manually run managedsoftwareupdate (or wait for the launchd job) to clear it out of the Updates list in MSC.

jtr...@gmail.com

unread,
Jan 16, 2015, 2:28:57 PM1/16/15
to munk...@googlegroups.com
I just removed MunkiReport from this machine (to make the Munki logs easier to read), removed all existing configuration profiles, rebooted and tried again. I see this message in the install log

Jan 16 2015 14:26:12 -0500 Install of Safari Configuration Profile-20150113: FAILED with return code: True


But I can see that the profile has been installed. This is on a Mavericks 10.9.5 system. I wonder if there is something in my profile that it doesn't like. It is unsigned, but I have put a removal password on it.

Gregory Neagle

unread,
Jan 16, 2015, 2:30:08 PM1/16/15
to munk...@googlegroups.com
Mind sharing the profile, or a modified one that demonstrates the same issue?

-Greg

jtr...@gmail.com

unread,
Jan 16, 2015, 2:39:33 PM1/16/15
to munk...@googlegroups.com
Sure, here is a simple profile that is exhibiting the same behavior:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.apple.NetworkBrowser</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>DisableAirDrop</key>
<true/>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>com.apple.NetworkBrowser</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>c42dc11f-b4cf-42f0-a05f-0e6a7111bb6f.alacarte.customsettings.0fec29c2-9872-41f0-a967-3ae8b9e97b47</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>0fec29c2-9872-41f0-a967-3ae8b9e97b47</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.profileRemovalPassword</string>
<key>RemovalPassword</key>
<string>pass*word</string>
<key>PayloadUUID</key>
<string>91051828-b535-49bb-bd70-926d1284dcfa</string>
<key>HasRemovalPasscode</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Included custom settings:
com.apple.NetworkBrowser
</string>
<key>PayloadDisplayName</key>
<string>com.apple.NetworkBrowser</string>
<key>PayloadIdentifier</key>
<string>com.apple.NetworkBrowser</string>
<key>PayloadOrganization</key>
<string>Company</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>c42dc11f-b4cf-42f0-a05f-0e6a7111bb6f</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>


This is what I was doing to import it:

munkiimport -n \
--subdirectory COMPANY/profiles \
-c PROD \
--unattended_install \
--minimum_os_vers=10.8.5 \
--icon=profile.png \
--name=profile_nb \
--displayname='Configuration Profile' \
--developer='My Company' \
--pkgvers='20150113' \
profiles/com.apple.NetworkBrowser.mobileconfig


This is the relevant section of the manifest:
<key>managed_installs</key>
<array>
<string>profile_nb</string>
</array>



Gregory Neagle

unread,
Jan 16, 2015, 3:06:33 PM1/16/15
to munk...@googlegroups.com
Thanks. I see the issue, and it's not profile specific.


I'll have a new release candidate later today.

-Greg

James Trater

unread,
Jan 16, 2015, 4:05:55 PM1/16/15
to munk...@googlegroups.com
Thanks Greg. I'm excited about being able to manage config profiles with Munki.
You received this message because you are subscribed to a topic in the Google Groups "munki-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/munki-dev/TbHOLhi4qz8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to munki-dev+...@googlegroups.com.

Gregory Neagle

unread,
Jan 16, 2015, 4:25:50 PM1/16/15
to munk...@googlegroups.com
For a nice write-up of one use of the new features, take a gander at: http://scriptingosx.com/2015/01/push-settings-with-munkis-new-profile-support/

-Greg
Reply all
Reply to author
Forward
0 new messages