I’ve noticed of late that new Munki admins seem to struggle most with the initial Munki run.
It’s a common want to have Munki run as soon as possible after the first boot of a deployed machine so that it can install needed software as soon as possible. A default install of just the Munki tools may not do a background check-and-install for up to two hours after the initial install of the tools.
If we rewind a few years (OK, closer to ten) a very common deployment method was “imaging”: you’d prep a machine for deployment by imaging the startup disk with a pre-prepared disk image. That image could contain the OS, the Munki tools, and a trigger file that caused Munki to enter “bootstrap mode” when the OS boots. So you’d image the machine, and on the first boot, Munki would run in bootstrap mode, checking for updates, downloading software, and installing it, in a loop, until it has nothing to do. Once it was done, the machine would be at the login window, ready for a user to login (perhaps with an AD or LDAP account).
Even after imaging became less useful, people could use tools like Bootstrappr to “inject” the Munki tools and the bootstrap trigger file onto the startup disk of a machine. So again, on the first boot, Munki would run in bootstrap mode.
But now the most common deployment workflow is to use MDM together with DEP/ADE. In this workflow, your MDM server installs the Munkitools during Automatic Device Enrollment. For whatever reason, it’s only been possible to reliably install one single package during ADE, making it difficult to install the Munki tools and a second package that triggers bootstrap (or a background run). So there are flags to the Munki package build scripts that can inject component packages that trigger either bootstrap mode or an immediate background run.
(You’d probably want bootstrap mode if no user is created during ADE enrollment; if a user account is created, since the Mac then never stops at the login window, but instead goes directly to the new user’s desktop, in that situation you’d want to just trigger an immediate background run.)
But making use of these options means building the Munki tools and package yourself, and signing it all properly. This is difficult for many Mac admins, and tedious in any case. Most admins would rather use a pre-built (and pre-signed!) package, like the ones offered at
https://github.com/macadmins/munki-builds The packages offered there are for general usage, including for upgrades of existing Munki installs, and therefore do not contain any of the extra bootstrapping/background run components.
So it’s a struggle. Mac admins need to either build the tools themselves with the correct options, or figure out some other way that works with their deployment tools to trigger a bootstrapping/background run soon after the Munki tools are installed.
I want to make this easier.
My goal: a single “style” of Munki tools package that (subject to control of the admin) will do a bootstrap run/background run without having to install anything else.
The idea I have is a new ManagedInstalls preference that could be in an MDM profile. Something like “AutoRunOnInitialInstall”.
A preinstall script might determine if there is an existing Munki install: if not, we check for that preference. If set, we can set bootstrap mode, or we can set up an automatic background run.
This all seems doable and not terribly hard. But I’d be interested in other people’s thoughts!