Push munki by Intune (Endpoint) and notarize

Nicolas Daigneault

unread,

Apr 15, 2021, 12:40:10 PM4/15/21

to munki-discuss

Hi,

I would like that my mac computer in the DEP receive automaticly Munki with the registration to the MDM. Our MDM is Intune, and to push application it seem that it need to be notarized.

We don't have developper account, I saw different script on internet to do this. Is it the simpliest method to do this? It's seem a lot of effort to do this. Just to be sure, the release of munki is not notarized ?

We are a school board with 300 Mac, and thousands of PC.

Thanks for your answer!

Gregory Neagle

unread,

Apr 15, 2021, 12:44:46 PM4/15/21

to munki-...@googlegroups.com

The release pkg of Munki is neither signed nor notarized.

There is NO MDM requirement for packages to be notarized. If Intune is requiring that, they are placing an unnecessary burden on their customers.

It is true that MDM installation of packages requires a _signed_ package, and the build scripts for Munki allow you to sign a package you build. It's also fairly easy to sign the release package.

You _will_ need a developer account to obtain a package signing certificate. A developer account costs at most $99/year; it's possible EDU might be cheaper.

-Greg

--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/08f5ce64-1e04-4efc-9f97-e1495b120628n%40googlegroups.com.

Rob Renstrom

unread,

Apr 15, 2021, 1:54:38 PM4/15/21

to munki-...@googlegroups.com

Nicolas,

I use Intune to distribute Munki. It doesn't need to be notarized, but I do sign the munkitools installer package as part of the build. And there's a trick to modifying the Intune line-of-business package, after it's processed with Microsoft's wrapper tool, to allow Intune to properly detect that it's installed. I'll write up some notes and post them here next week.

-rob

Nicolas Daigneault

unread,

Apr 15, 2021, 2:47:29 PM4/15/21

to munki-discuss

Thanks,

This is why I think I need to notarize Munki:

https://docs.microsoft.com/en-us/mem/intune/apps/lob-apps-macos

Starting with the release of macOS Catalina 10.15, prior to adding your apps to Intune, check to make sure your macOS LOB apps are notarized. If the developers of your LOB apps did not notarize their apps, the apps will fail to run on your users' macOS devices. For more information about how to check if an app is notarized, visit Notarize your macOS apps to prepare for macOS Catalina.

Message has been deleted

Rob Renstrom

unread,

Apr 24, 2021, 12:41:48 PM4/24/21

to munki-discuss

Build munkitools package for deployment with Microsoft Intune MDM

First you need to build a signed munkitools package, that's suitable for MDM deployment (-m flag in build script). The app doesn't need to be signed, just the installer package.

And if building earlier than the Universal2 Munki 5.3 release, you'll also want to have the package install Rosetta2 on Apple silicon Macs (-R flag); although you may want to include this regardless if you're deploying other software that requires Rosetta.

Also look at the option to include the Munki configuration preferences in the munkitools distribution package (-c flag), since ideally you want everything related to Munki in a single package.

https://github.com/munki/munki/wiki/Building-Munki-packages

https://github.com/munki/munki/wiki/Signing-Munki

Once the package is built, manually install it to test.

You'll process this package with the Microsoft wrapping tool, and this needs post-editing to work correctly.

Microsoft Intune App Wrapping Tool for macOS https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac

On a Mac that has your package manually installed, get the version of the Managed Software Center (MSC) app:

defaults read /Applications/Managed\ Software\ Center.app/Contents/Info.plist CFBundleShortVersionString

You'll use this to tell the wrapper tool the MSC app version, which the Intune detection logic will use to check if the app is installed on clients.

This is done by specifying the MSC app bundle ID (-i flag) in the wrapping tool, and the version (-n flag), 5.3.0.4289 in this example:

IntuneAppUtil -v -c munkitools-5.2.3.4295.pkg -i com.googlecode.munki.ManagedSoftwareCenter -n 5.3.0.4289 -o ./

Next, edit the the resulting .intunemac file to work around an Intune detection issue, so it's only looking for the Managed Software Center app, and not all the component packages.

unzip munkitools-5.2.3.4295.pkg.intunemac

Edit /Metadata/Detection.xml to remove all MacOSLobChildApp BundleId= lines, except for com.googlecode.munki.ManagedSoftwareCenter

Should look something like this:

<?xml version="1.0" encoding="UTF-8"?>

f69b89b7f4763462f2b284f5a19eb8b6,dad7dfd13ed30f08b8f5ee6627dc7571,b69e20d4d18211fce884ebc7f53d5ac2,869618ba95cd648f2b73678110b85074

</MD5Hash>

</MacOSLobApp>

</PackageMetadata>

After editing, zip the IntuneMacPackage folder (first remove original)

rm munkitools-5.2.3.4295.pkg.intunemac

zip -q --symlinks -0 -r munkitools-5.2.3.4295.pkg.intunemac IntuneMacPackage

rm -rf IntuneMacPackage/

Check the re-zipped LOB package to make sure the tool can read it:

IntuneAppUtil -v -r munkitools-5.2.3.4295.pkg.intunemac

Upload the .intunemac file to Intune as a Line-of-Business app.

It will automatically set the description as follows, and I like to change it Managed Software Center rather than munkitools, but that's not required

Description: munkitools-5.2.3.4295.pkg (5.3.0.4289) -> change to: Managed Software Center (5.3.0.4289)

Also you'll want to set these options:

Ignore app version: YES (set to yes for apps that are automatically updated by app developer), assuming you use Munki to update Munki
Install as managed: NO (only applies to Big Sur and simple apps bundles)

Reply all

Reply to author

Forward