If I understand you correctly, you would like your users to update Tunnelblick without a computer admin username/password.
As I wrote earlier, I don't expect to add that to Tunnelblick.
Although you haven't provided logs, I am guessing that Munki (or your Munki configuration for Tunnelblick) does not update the version of "tunnelblickd" that is being used by the system.
That is tricky to do because although tunnelblickd is contained within Tunnelblick, and is thus updated when you update Tunnelblick, the OS uses a cached copy of the old tunnelblickd. Tunnelblick uses the "tunnelblickd-hash.txt" and "tunnelblickd-launchctl-plist-hash.txt" files that are located in /Library/Application Support/Tunnelblick to detect that situation. When Tunnelblick loads tunnelblickd, it sets the two files to contain the hashes of the tunnelblickd binary and the .plist that are used to load it. When Tunnelblick launches, it checks that the hashes are as expected. If not, it means that Tunnelblick was updated and has a new tunnelblickd binary, so it unloads the old tunnelblickd and reloads the new one. That is what is requiring the admin username/password.