I’m proposing a new key named per_catalog_force_install_after_date containing the catalog and associated force_install_after_date. This would take precedence over the non-catalog level force_install_after_date key. It would be opt-in, not impacting existing setups.
Consider an autopromote workflow like Gusto’s open source solution (
https://github.com/Gusto/it-cpe-opensource/tree/main/autopromote). While some autopromote workflows only move pkgsinfo through catalogs, this one includes a force_install_after_date which is progressively pushed further into the future as promotion occurs. That also means computers which haven’t installed software by the previously required date get their deadline moved too.
For example, a new pkginfo for Firefox is created. An autopromote workflow runs and adds it to the development catalog with a force_install_after_date one week in the future. A week later autopromote runs again and adds that Firefox version to the testing catalog with a new force_install_after_date another week into the future. Since there’s only one force_install_after_date, any computer using the canary catalog which didn’t install Firefox already gets 2 weeks instead of 1 before the force_install_after_date deadline.The problem compounds as the pkginfo moves through more catalogs.
I’d like the option to have individual force_install_after_date for each catalog to ensure dates stay consistent as pkginfo are promoted. If there is no matching date for a specific catalog, Munki falls back to force_install_after_date. The new key would either be a dictionary or an array of dictionaries like below.
Example pkginfo keys
<key>catalogs</key>
<array>
<string>development</string>
<string>testing</string>
<string>production</string>
</array>
<key>per_catalog_force_install_after_date</key>
<dict>
<key>development</key>
<date>2024-03-14T13:00:00Z</date>
<key>testing</key>
<date>2024-03-21T13:00:00Z</date>
<key>production</key>
<date>2024-04-04T13:00:00Z</date>
</dict>
Or
<key>per_catalog_force_install_after_date</key>
<array>
<dict>
<key>catalog</key>
<string>development</string>
<key>force_install_after_date</key>
<date>2024-03-14T13:00:00Z</date>
</dict>
<dict>
<key>catalog</key>
<string>testing</string>
<key>force_install_after_date</key>
<date>2024-03-21T13:00:00Z</date>
</dict>
<dict>
<key>catalog</key>
<string>production</string>
<key>force_install_after_date</key>
<date>2024-04-04T13:00:00Z</date>
</dict>
</array>
My guess is many orgs don’t use force_install_after_date often, and if/when they do, take the approach of setting one date for all catalogs further into the future. If it takes 4 weeks to promote through all catalogs, the force date is immediately after those 4 weeks or even later. However, for orgs with stricter SLAs or compliance requirements, I see the advantage in more tightly controlling force_install_after_date. Definitely heavier handed, but with better assurances software is installed by a specific date.
I’m open to contributing the work myself. Not asking anyone else to take it on. Curious what people’s thoughts are and if they would find this to be a useful feature.