Munki and VPP

[John Lockwood]

I am aware Munki does not have built-in support for Apple's VPP program and downloading and deploying such apps, nor am I asking that such a feature be added.

I believe it is possible to use Munki to deploy an App store app if it allows removing the app store receipt. (Likely mainly free ones.) This would not be suitable for my requirement as below.

What I was wondering was if it might be possible to create a payload free 'installer' in Munki which runs a script which tells Jamf Pro's Self Service app to install the matching VPP app. For those unaware Jamf's Self Service app can deploy VPP apps from the Apple app store.

If anyone has managed to do this, do they have an example they can provide?

Yes obviously the above indicates the user could simply run Jamf's Self Service app and install via that without using Munki, yes the Mac in question would have both Jamf's Self Service and Munki installed.

My plan is to purely use Jamf's Self Service app for VPP apps and use Munki as the main tool and by listing all apps including VPP apps in Munki provide a single place to direct users to.

Note: Neither AutoPkg or Munki would handle updating the VPP app installed via the above hypothetical approach. Since Munki would be telling Jamf's Self Service app to do this then as normal and in this case desired Jamf's Self Service would also handle triggering updates for these VPP apps from the app store. As a result updating would still work as normal.

[Patrick Gallagher]

You would need a way to call that self-service item from the command line, which Jamf does not provide for VPP apps. The closest you could get is to use Munki to create a condition (such as dropping a receipt somewhere that an EA could read) that would put it in scope, then run a recon and the app should deploy (would need to be an automatic deployment, not self service). But if that condition/receipt were ever removed, it would fall out of scope and the app would be removed. 

--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/611fb59a-28f5-4c19-94d1-b839f05dc941n%40googlegroups.com.

[John Lockwood]

Thanks your suggest has led me to an approach that I believe will achieve what I want and I am detailing it here for the benefit of everyone.

It may or may not be possible to send a script command to Jamf's Self Service but as you suggest an easier way is going to be to use a trigger to get a Jamf policy to run and do the install. Your approach would work but would be a more lengthy process involving as you state setting something e.g. a lock file, or a text string, or a plist entry which a jamf recon would pickup - perhaps using a combination of an extension attribute and a smart group.

However a much more elegant way is to use the sudo jamf policy -trigger customeventname command and defining a set of policies in Jamf each with a custom event and each of which would do the install of the desired VPP package.

I found the following article about using custom jamf event triggers and the example is for installing Google Chrome and to be triggered by running a payload free package which calls the above format jamf policy command.

https://community.jamf.com/t5/jamf-pro/custom-event-triggers/m-p/74261/highlight/true#M63378

So I would define a set of policies in Jamf Pro one per VPP package and could use the name of the package as the basis of the name of the custom event. I would also create as per my original suggestion a series of payload free packages in Munki that run a shell script which calls the above style jamf policy -trigger command.

This approach does not require creating any trigger files on the Mac (which could be deleted) and does not require running a jamf recon and hence would immediately trigger the install of the VPP package.

[John Lockwood]

I am coming back to this after a while. I was not able to get it to work originally and I believe this was down to the way the script has to be run and more importantly how the script then executes the command sent to Jamf Self Service which has to be done as the user!

I found the following script which seems to do this successfully.

https://community.jamf.com/t5/jamf-pro/script-to-launch-self-service-from-policy/m-p/190052/highlight/true#M178853

My question now is how to handle quitting the Self Service app after the install but without the risk of interrupting the install.