A Guide to Implementing Apple iPads in Education

Comment

A Guide to Implementing Apple iPads in Education

There are several key pieces to a successful education iPad deployment. This guide is a good starting point towards understanding how the pieces come together.

Mobile Device Management (MDM)

An MDM unlocks the real potential of iPads in education. There are hundreds of MDM vendors, in Australia the most common one is Jamf Pro (formerly Casper Suite). Jamf have a great track record for supporting new features as they come out and offer substantial discounts to educational institutes.

All reliable MDMs are subscription based, where you pay X amount per month/year per iPad.

An MDM will allow for:

  • wireless deployment of apps and settings to iPads, no more syncing with iTunes/Apple Configurator or manually downloading onto each device.
  • keeping an inventory of your iPads.
  • the features discussed below; Device Enrolment Programme, Volume Purchase Programme and Apple School Manager.

Device Enrolment Programme (DEP)

Once a school is enrolled for DEP, new iPads purchased from an Apple Authorised Reseller are registered with the schools DEP account. iPads registered with DEP will automatically talk to the schools MDM (e.g. Jamf Pro) and automate the set up of the iPad, I.T. never needs to see the device.

Volume Purchase Programme (VPP)

VPP allows for the bulk purchase of app licenses and many apps offer a 50% discount when purchasing quantities of twenty or more at a time.

Once a purchase in the VPP portal has been made, the app licenses will appear in your MDM and you can select the devices you wish to deploy that app to.

Credit can be added to a VPP account either via credit card or by purchase order.

Apple School Manager (ASM)

Apple School Manager is a teacher's dream - it allows them to remotely view, lock and control iPads in the classroom. Apple has a 3 minute video demonstrating the functionality of the Classroom app (part of ASM).

Historically iPads have always been a single user device, so when they are shared (often the case in schools) this can cause problems especially if students delete other students work. With ASM, iPads gain security for shared use as each student is given their own unique account and passcode, keeping their work safe.

Their work is also synchronised with iCloud allowing them to pick up any school iPad, log in and have their previous work appear on that iPad.

Registering a school for DEP, VPP and ASM is free and can be completed here.

Apple Caching Service

With lots of apps, updates and iCloud data being downloaded from the Internet it is paramount to have a Mac mini set up with macOS Server and the Caching Service. The Caching Service reduces the amount of data downloaded over the Internet connection and speeds up delivery of repeat data.

How it works

The first time an app is downloaded from the Internet, during that initial download it is cached on the Mac mini. If another device requests the same update it doesn’t need to download it from the Internet again, instead it is rapidly downloaded from the local Mac mini.

Comment

Recovering a Forgotten OS X/macOS User Password

2 Comments

Recovering a Forgotten OS X/macOS User Password

Recently I had an elderly client that could not remember the password to his iMac nor the email passwords configured in Apple Mail. I was caught in a situation where I could not reset his Keychain as that would remove his email passwords, but I also had no way of extracting passwords from his Keychain. On top of that I needed the password to install new printer drivers.

This information is intended to support others that have forgotten their login password, it should not be used for evil. If you want to secure your system from vulnerabilities like this it is important to enable FileVault whole-disk encryption and use a unique/secure password. You can turn it on under System Preferences > Security & Privacy > FileVault.

I remembered reading how the Automatic Login feature stores a cipher of the user's password in /etc/kcpassword. A quick Google search later and I had the following command to extract the password.

Since the above command requires sudo and I didn't have access to an administrator account, I booted the iMac into Target Disk Mode, connected it to another Mac (via FireWire/Thunderbolt cable) and ran the following command:

sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]; IO.read("/Volumes/Macintosh HD 1/etc/kcpassword").bytes.each_with_index { |b, i| break if key.include?(b); print [b ^ key[i % key.size]].pack("U*") }'

And just like that I had recovered his password!

2 Comments

Adding HomeKit Support to LIFX Light Bulbs

98 Comments

Adding HomeKit Support to LIFX Light Bulbs

In the smart light market the two major players are Philips Hue and LIFX. Around the time HomeKit was first released, Philips Hue offered a new hardware bridge to allow customers to control their Philips Hue bulbs with Siri. LIFX on the other hand has been telling customers that HomeKit support is on its way, but has yet to deliver.

With the announcement of iOS 10's Home app I was over waiting and started looking into ways to make LIFX bulbs HomeKit compatible. That's when I came across Homebridge, a community developed solution that acts as a bridge for non-HomeKit compliant devices, LIFX light bulbs being one of them.

I have put together this guide for other LIFX bulb users eager to take advantage of HomeKit.

In this guide I run Homebridge on a Mac mini, however you should be able to get this working on a PC or even a Raspberry Pi. Also, to be useful the machine running Homebridge will need to always be on.

Steps

Homebridge requires Node.js, download and install it.

Now install Homebridge, open Terminal (Utilities > Terminal) and type:

sudo npm install -g --unsafe-perm homebridge

If prompted, install Git and run the above command again.

Next install David Parry’s LIFX LAN Homebridge plugin:

sudo npm install -g homebridge-lifx-lan

Download my LIFX ready Homebridge configuration file:

curl https://raw.githubusercontent.com/Error-freeIT/Homebridge-Configuration/master/lifx-config.json --create-dirs -o ~/.homebridge/config.json

Start Homebridge by simply typing:

homebridge

Open the Home app on your iOS device, tap Get Started > Add Accessory > Homebridge > Add Anyway > Enter Code Manually > 053-73-874

The rest of the process is just tapping Next and configuring your rooms and scenes. If you're new to HomeKit I recommend reading Apple's article on the Home app.

As long as your LIFX lights are switched on you should see them in the Home app.

Once the novelty of telling Siri to control your lights starts to wear off, there's one more bit to make Homebridge automatically startup in the background. First we need to stop the current instance of Homebridge from running by pressing control + C. Then paste the following two commands into Terminal:

curl https://raw.githubusercontent.com/Error-freeIT/Homebridge-Configuration/master/com.github.homebridge.plist --create-dirs -o ~/Library/LaunchAgents/com.github.homebridge.plist

launchctl load ~/Library/LaunchAgents/com.github.homebridge.plist

That's it! Enjoy your fancy HomeKit enabled LIFX lighting!

98 Comments

Apple Configurator 2 Workarounds

13 Comments

Apple Configurator 2 Workarounds

At the moment Apple Configurator 2 has a Mac App Store customer rating average of 1.5 out of 5 stars. I find it overall better than its predecessor, but I understand the poor rating and have put this post together to help others moving to Apple Configurator 2.

For me the biggest change between Apple Configurator 1 and 2 is the shift in app licensing. Buying a new app with Apple Configurator 1 involved downloading a spreadsheet of redemption codes from the Volume Purchase Program portal. Then you would use the first redemption code to download the app with iTunes. Then import that app’s .ipa file into Apple Configurator, re-download the spreadsheet of redemption codes (now with the first code marked as redeemed) and finally import the spreadsheet into Apple Configurator.

Thankfully Apple Configurator 2 uses managed distribution instead of redemption codes, cutting out the cumbersome process above. With managed distribution Apple track which devices/Apple IDs are assigned apps and give the organisation the ability to revoke and reissue app licenses. Managed distribution is also the licensing method used by all Mobile Device Management (MDM) solutions, making the eventual transition from Apple Configurator to a MDM solution much smoother.

Obtaining Free iLife & iWork Apps

If you are migrating from Apple Configurator 1 you will need to reapply for new managed distribution licenses of Pages, Numbers, Keynote, iMovie and GarageBand. This requires uploading proof of purchase with a list of eligible iPad serial numbers here.

Migrating Your Paid Apps

Apple have created an online form for migrating your paid apps to managed distribution. Simply fill out the form here, selecting ‘Migrate from redemption codes to managed distribution’ from the dropdown list. Apple will look at your purchase history and convert all your previously purchased apps to managed distribution.

Unexpected Behaviour

Issue: Apps aren’t being cached by Apple Configurator 2. 
Workaround: Setup another Mac on your network with OS X Server and the Caching service enabled.

Issue: Failing iOS firmware downloads on slow or unstable Internet connections.
Workaround: Manually download the firmware files (.ipsw) and copy them into Apple Configurator’s firmware directory.

To speed up the download of firmware I use https://ipsw.me to find my device's firmware URL and then download it with the DownloadThemAll! Firefox plugin.

Once downloaded copy the firmware file into place; In Finder click Go > Go to Folder… and paste:

~/Library/Group Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Firmware/

Issue: I made a change to a profile that was part of a blueprint. After applying the blueprint to a new iPad I noticed the profile installed was an older revision.
Workaround: If you edit a profile you will need to remove and re-add it to your blueprints. I find it odd that it does not reference the location of the profile selected.

Issue: I tried installing a few apps at once to a cart of iPads, received the error "An unexpected error has occurred with these iPads. The operation couldn't be completed. Operation not permitted [NSPOSIXErrorDomain - 0x1 (1)]" and ended up with some apps grayed out on the home screen. 
Workaround: This seems to be a known bug as reported here. Try installing the troubled apps individually. Reinstalling the app will give you the option to skip or overwrite the app and will not waste any additional licenses.

Issue: My blueprint has both a lock screen and home screen set, but only the lock screen wallpaper applied.
Workaround: After applying the blueprint select Actions > Modify > Wallpapers…

Issue: The progress bar seems to be stuck.
Workaround: Click Window > Activity to see more detail.

Issue: The Photos app keeps opening.
Workaround: [Update 23/03/16]: Erik Gomez has reported Apple Configurator 2.2 in OS X 10.11.4 no longer does this and the workaround is no longer required. As discovered here you can stop Photos from reopening with the following Terminal command:

defaults -currentHost write com.apple.ImageCapture disableHotPlug -bool YES

Issue: Deleting an app directly on the iPad does not revoke the app license and when connected Apple Configurator 2 still detects the app as installed.
Workaround: Properly remove the app and revoke the license in Apple Configurator 2 by selecting Actions > Remove > Apps…

Issue: Apps are still functional on devices after the license has been revoked. If you install an app with Apple Configurator 2, then go to Window > VPP Assignments and revoke the license, the app remains functional on the devices and the license is returned to the VPP account.
Workaround: No workaround, just ignore it. What should happen: once the license is revoked it should prompt the device owner to purchase a copy of that app.

 

Lastly, if you have any Apple Configurator 2 tips please share them in the comments.

13 Comments

[SOLVED] Unable To Access iPhone Photos In Windows 7

2 Comments

[SOLVED] Unable To Access iPhone Photos In Windows 7

Last week I had a client who wanted help copying photos from his iPhone to his PC running Windows 7. When connecting his iPhone, iTunes would open and see the iPhone, but his photos would not appear under My Computer (Windows Explorer).

When reconnecting the iPhone I noticed Windows was failing to install a driver for a MTP USB Device. I could also see in Device Manager the device status was “Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)”

After reinstalling iTunes and attempting to manually apply the correct device driver I still had the same driver failing to install issue.

Eventually I came across Navigat0's post and that fixed the issue. To help the next person who runs into this issue I have rewritten the process with screenshots below.

Type ‘regedit’ in the start menu search field and open it.

Expand HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Class.

Select {EEC5AD98-8080-425F-922A-DABF3DE3F69A} from the long list.

Right click UpperFilters > Delete > Yes.

Now close Registry Editor and reconnect your iPhone. Everything should work normally from now on.

2 Comments

Automate the Setup of Microsoft Exchange Accounts on OS X

2 Comments

Automate the Setup of Microsoft Exchange Accounts on OS X

I have been recently looking for the best way to automate the setup of Exchange accounts (specifically Office 365 hosted) on shared Macs. William Smith has created an impressive Exchange Setup AppleScript, perfect for Microsoft Outlook users.

I also wanted to automate the setup of Exchange accounts for Apple’s native OS X apps (Mail, Contacts, Calendars, Reminders and Notes). Normally this would be done with a Mobile Device Management (MDM) solution, pushing out user personalised configuration profiles. But for those situations where a MDM isn’t feasible (possibly due to budget, resources, policy, etc.) or simply overkill this post should help you out. 

To make life easier for those without a MDM I have put together a bash script to automate the setup of Exchange accounts on OS X.

 

How it works

The script locally generates and installs a user configuration profile (.mobileconfig file). To avoid the account being added as offline the user is also prompted for their Exchange account password.

Usage

I have tested this script on OS X El Capitan (10.11) with multiple Office 365 Exchange accounts.

  1. Install Joseph Chilcote's Outset script.
  2. Download the addexchangeaccount.sh script and customise the required DOMAIN and EXCHANGE_HOST values.
  3. Then copy the customised script into /usr/local/outset/login-once/ and remember to make it executable.

That's it! The first time a user logs in they are prompted to enter their Exchange account password and then the script does the rest.

2 Comments

Flat Out of Time - Correcting the System Clock from the Login Window

9 Comments

Flat Out of Time - Correcting the System Clock from the Login Window

Some of the schools I work with have shared class sets of MacBooks. Their shared MacBooks are configured to connect to the school’s Wi-Fi (WPA2 enterprise network) at the login window. Sometimes the MacBooks are left in sleep mode for extended periods of time, causing the battery to deplete and the system clock to reset.

After the flat MacBooks are recharged and turned on, they fail to connect to Wi-Fi and this leads to users complaining that they cannot log in. This is due to the ‘Not Valid Before’ value of the Remote Authentication Dial-In User Service (RADIUS) certificate being ahead of the system clock.

Correcting this issue would require a user to first realise the time is incorrect and then connect the MacBook to the network with an Ethernet cable or more commonly bring the MacBook to an IT Administrator with access to a local administrator account.

With the number of users coming to see me with this issue, I started looking into ways I could give the user the ability to correct the system time themselves from the login window and without an Ethernet cable. My idea was to create an application that appears over the top of the login window if the system clock is set to a date before 2015.

I found making an application visible at the login window surprisingly difficult. It wasn’t until I came across Apple’s PreLoginAgents sample code that I was a big step closer. Not long after that I had a working app that prompted users to correct the date and time after a flat battery.

To use, simply download the package from here and deploy it to your clients.

9 Comments

Deploy Finder's Sidebar List Favorites

2 Comments

Deploy Finder's Sidebar List Favorites

Recently I came across Matt Schalk's Change_Sidebar_list.py script for interacting with Finder’s sidebar list favorites.

His script really caught my attention as I have come across situations where network home directories are missing the default set of Finder sidebar favorites.

To easily deploy a standard set of Finder sidebar favorites I have created another script (setsidebarfavorites.sh) that interfaces with Matt’s Change_Sidebar_list.py script. This script was also created with Joseph Chilcote's outset in mind. Placing setsidebarfavorites.sh in /usr/local/outset/login-once/ will initially configure a user’s favorites and then leave it up to them to further customise.

Usage

1. Install changesidebarlist-1.0.pkg

2. Install outset.pkg

3. Install setsidebarfavorites-1.0.pkg

 

customisation

If you want to further customise the standard list of favorites included in setsidebarfavorites-1.0.pkg download and edit setsidebarfavorites.sh.

Once customised simply copy setsidebarfavorites.sh into /usr/local/outset/login-once/ on your client machines and correct the script's file permissions with:

sudo chown root:wheel /usr/local/outset && chmod -R 755 /usr/local/outset && xattr -rc /usr/local/outset

2 Comments

Dock Master - A Superior Profile Maker for Managing the Dock

364 Comments

Dock Master - A Superior Profile Maker for Managing the Dock

Recently I have been actively looking into the best solution for setting a custom dock on multiple machines.

Apple’s Profile Manager allows the creation of configuration profiles with dock settings. However, the functionality has some frustrating limitations:

  • There is no control over the order in which applications are displayed in the dock.

  • You can only add applications to Profile Manager if they are installed (note: can be dummy .app files) on the OS X Server host itself.

  • No home directory relative path support, therefore you cannot simply add a user’s Downloads folder to the dock.

The Search for Something Better

I tried Kyle Crawford’s dockutil command line tool and found it worked well for changing the dock of existing local accounts, but required scripting (LaunchAgent) to apply to newly created accounts.

I also had temperamental success in directly editing:
/System/Library/CoreServices/Dock.app/Contents/Resources/en.lproj/default.plist
/System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist

After that I tried using Tim Sutton’s mcxToProfile script to convert ~/Library/Preferences/com.apple.dock.plist into a profile. Unfortunately home directory relative folders were broken using this technique.

Get To The Good Stuff

Over the past week I started working on a tool to make generating dock configuration profiles easy and include all the features missing from other tools.

The advantages of my solution (Dock Master) include:

  • Support for home directory relative paths (e.g. ~/Downloads).

  • The ability to include applications that are not installed.

  • Inclusion of network shares and website links with custom labels.

  • The ability to set folder attributes (sort by, display as and view content as).

Dock Master is an intuitive way to customise and generate dock profiles. To help you get started I have included some sample data commonly featured in education docks and an example of a directory, share and website that can be edited/removed as required. Once all the desired alterations have been made the profile is ready to be downloaded and distributed.

Removable Dock Items

A few people have contacted me asking if there’s way to deploy a custom dock with removable items. Unfortunately, configuration profiles do not allow for this. Dock Master now works around this limitation by creating a dock preference file that is added to the User Template (new user accounts) and optionally replaces the dock plist in existing user accounts.

Below you will notice a lock icon next to each dock item, unlocked items are removable by the end user. If one or more dock items are unlocked, Dock Master generates a tar file (compressed archive) instead of a configuration profile.

Once the tar file (archive) is extracted you will have a folder containing a ‘makepackage.command’ script. To build your custom package, simply right click the script and select Open.

The resulting package can be deployed just like any other package (e.g. Apple Remote Desktop, AutoDMG, DeployStudio, Munki, etc).

Name


Applications

Please provide the full path to the application (.app file).

Others (Folders/Shares/URLs/Weblocs)


Additional Options

Profile description:
Profile scope:
Prevent users from permanently modifying dock contents.
Merge with user's existing/default dock.
Add user's network home folder.
Maximum icon size (1-256):
Enable magnification. | Maximum magnification size (1-256):
Dock position:
Minimize windows using:
Apps animate (bounce) on open.
Automatically hide and show the dock.
Show indicators for open applications.
Minimise windows into app icon.
Create package instead of profile. | Package applies to existing users. | Package version:
Target macOS:

Do You Like Dock Master?

If you appreciate my work on Dock Master please consider making a donation. Dock Master has been a hobby project, I never developed it planning to make money (although my partner thinks I should) and I felt it was my way of contributing to the Mac Admin community. Donations help offset server hosting costs and access to resources.

 

FAQ

I have downloaded my fancy dock profile/package, how do I push it out to all my users?
There are several ways to distribute profiles and packages, I recommend simply importing them straight into Munki.

What happens if I want to change a Dock Master profile already installed on my clients?
Dock Master profiles use the dock name as the profile identifier, therefore if you use the same name the new dock profile will overwrite the old. Dock Master packages simply overwrite any prior installed Dock Master package.

Can I reorder dock items?
Yes, simply click and drag the ≡ sign to change the position of a dock item.

I still don’t get it, why would I use this?
It's free!!!

In education environments younger students find it difficult to find an application in Finder or the Launchpad, therefore having applications sitting in the dock allows students to independently access the applications they need.

This tool allows advanced customisation and quick generation of dock profiles that can be applied to different device groups (e.g. Art, Music, Junior School Macs).

And lastly because it's awesome!

Where can I find the source code?

I was surprised with the demand for Dock Master. Since its release I have rewritten Dock Master (originally PHP) into a native OS X Swift command-line tool for offline use. You can find the source code on GitHub here.

364 Comments

Munki Business - A Guide to Munki 2

4 Comments

Munki Business - A Guide to Munki 2

A lot has changed since my original post on Munki 1, with Munki 2 well and truly out I have taken the opportunity to write an updated guide on Munki 2.

What is Munki?

Munki is a community driven project created by Greg Neagle, allowing IT Administrators to efficiently deploy software to large numbers of Macs.

A Munki implementation can be broken down into two core parts;
a) repository hosted on a web server
b) bunch of clients running the Munki software
 

A Munki Repository

Since a Munki repository is simply a collection of organised files served out by a web server it can be hosted on any web server (e.g. IIS, Apache, etc.) regardless of platform. In the situation where the repository is hosted on a remote server, Administrators can remotely edit the repository over a network share.

Every Munki repository is comprised of the following four directories:
pkgs: All package (.pkg) and disk image (.dmg, .iso) files.

pkgsinfo: For each piece of software in the pkgs directory there is an associated file in pkgsinfo. These files contain detailed information about that piece of software and the catalog(s) that software is assigned to. Conventionally these pkgsinfo files have the .plist extension.

catalogs: Catalog files are generated from the contents of pkginfo files, they are used to separate production (tested) from development (untested) versions of software.

manifests: Clients are configured to download a particular manifest file. These manifest files contain a list of software to install and the catalog (version) to use.

Note: Apart from the contents of pkgs every other directory contains standard Extensible Markup Language (XML) files.

With the release of Munki 2, there are three additional directories:
artwork: A place to store any images used within software descriptions.

client_resources: Home to the Managed Software Center application theme files.

icons: Contains images (.png) used as software icons in the Managed Software Center application. The recommended icon resolution is 300x300.

Setting Up a Repository

The steps for setting up a Munki repository vary depending on web server and platform. For OS X the standard procedure involves creating a ‘munki_repo’ directory in ‘/Users/Shared/‘, populating it with the directories listed above. Then creating a symbolic link from ‘/Users/Shared/munki_repo’ to ‘/Library/Server/Web/Data/Sites/Default/’ and enabling the OS X Server web server.

Managing Munki Repositories

Download and install the latest release of Munki Tools here.

Part of Munki Tools are the Munki Admin Tools for command-line management of Munki repositories. Unless you enjoy working purely in the command-line, I recommend downloading Hannes Juutilainen’s MunkiAdmin, a user-friendly application for managing Munki repositories. 

Install AutoPkg

AutoPkg automates the process of downloading and importing third party software updates straight into the Munki repository. Look at setting up AutoPkg by following my guide here.

Manually Importing New Software

If you wish to manually import a piece of software here are the steps:

Before we can use the Munki Admin Tools we need to complete the initial setup. To start the setup open Terminal and type:

munkiimport --configure

The 'Repo fileshare URL' can be left blank if the Munki repository is stored on the local disk, otherwise provide a network share path (e.g. smb://SERVERADDRESS/munki_repo).

I recommend following the guidelines below, to keep your Munki repository tidy:
First rename the software you wish to import:

  • Match the name to the software (e.g. jre-7u67-macosx-x64.dmg > java.dmg).
  • Only use lowercase letters (e.g. Firefox 32.0.3.dmg > firefox.dmg).
  • Do not use dashes, underscores or spaces (e.g. Skype_6.19.0.452.dmg > skype.dmg).
  • Delete version numbers (e.g. vlc-2.1.5.dmg > vlc.dmg).
  • Omit the developer’s name (e.g. googlechrome.dmg > chrome.dmg).

Once renamed open Terminal and type ‘munkiimport ‘ (take note of the trailing space).
Drag the renamed package onto the Terminal window and hit return.
When prompted for an item name enter the name of the package without the extension (e.g. firefox.dmg > firefox).
The display name can contain spaces and capitals (e.g. Flash Player).
The description can be left blank for now, as it can be added in later with MunkiAdmin.
The version number is pulled from the software, verify it is accurate and hit return, otherwise type in the correct version number.
When prompted for a category, use the Mac App Store categories as a guide (e.g. Productivity, Utilities, etc).
Enter the developer’s name (e.g. Apple, Google, etc).
When prompted for Catalogs hit return.
You will be presented with a summary of your input, if you are happy that it is all correct type y and hit return.
Just hit return when asked for a subdirectory path.
Munki may offer to extract an icon, type y and hit return. 
You are given a chance to make any alterations to the newly generated pkginfo file, simply press control + X.
Lastly you are asked if you would like to rebuild catalogs, type y and hit return.

Assigning Software to Manifests

To put it simply manifests contain lists of software to install and the catalogs (software version) to use. Software can either be set as mandatory (managed_installs) or optional (optional_installs). Optional installs provide a self-service experience similar to the Mac App Store.

MunkiAdmin makes the process of assigning software to manifests simple, just add a new item under either the Installs tab (mandatory) or the Optional Installs tab.

As seen in the diagram below, every Mac installs a SOE (Standard Operating Environment) suite of software. Depending on the Mac’s location (e.g. Art, Music, etc.) and the intended user type (e.g. staff or student), additional software (e.g. Photoshop, Sibelius, etc.) is installed. Since Munki clients can only check a single manifest, I have dealt with this limitation by stacking manifests.

It may seem confusing at first, but once the manifest infrastructure is in place, assigning new software to all relevant clients is simple. The green bubbles are manifests that clients check and we normally avoid adding any software directly to these. Yellow are purely for merging manifests, again nothing should be added to these. Blue are core attributes (e.g. laptop, staff, science, etc.) and software is assigned to these.

Configuring Munki Clients

Once Munki Tools is installed, clients need to be configured with the Munki repository's address and which manifest to check. Often these settings are configured using DeployStudio, a payload-free package or another means of script execution. This can be performed manually in Terminal with:

defaults write /Library/Preferences/ManagedInstalls.plist SoftwareRepoURL http://SERVERADDRESS/munki_repo
defaults write /Library/Preferences/ManagedInstalls.plist ClientIdentifier MANIFESTNAME

Testing Software

Before pushing out software to every Munki client it is important to thoroughly test that it works as expected. You should configure at least one test machine the same way as the rest of your client’s with the exception of pointing it to a testing manifest.

A testing manifest should include both the development and production catalogs, as well as a manifest directly accessed by clients.

Once that piece of software has been deemed stable, add it to the production catalog and watch as the rest of your clients install it.

Frequently Asked Questions

If you have read this far, you should be starting to get an understanding of how useful and feature rich Munki is. For readability I have chosen to tackle common queries I receive regarding Munki.

How does Munki know what is already installed?
Any applications installed by simply dragging and dropping them into Applications are detected by Munki. If a user deletes a drag and drop app from Applications Munki will notice its absence and reinstall it.

With package files, Munki indirectly checks for the existence of receipt files, therefore deleting the associated .plist and .bom files of a package in /var/db/receipts will cause Munki to reinstall that package.

Managed Software Center keeps attempting to install the same package over and over. What’s going wrong?
If MSC loops on a package, compare the receipts listed in the pkginfo file to the receipts present in the '/var/db/receipts/' directory. Once you figure out the missing receipt(s) mark them as optional (ignored).

You can also use Terminal’s ‘pkgutil’ command to search for installed receipts. In the example below I am searching for receipts containing the word xerox, the (?i) part ignores case and .* are wildcards.

Can we customise the banners in Managed Software Center?
Absolutely! You can even customise the sidebar and footer links. The official Munki wiki does a great job covering this in detail here.

How frequently does Munki check for updates?
After ten seconds of inactivity at the login window Munki will automatically install any locally cached updates.

By default a launch daemon is set to run ‘/usr/local/munki/supervisor’ ten minutes past every hour. The supervisor generates a random delay of up to sixty minutes to help stagger clients contacting the Munki repository. Once the delay is over supervisor triggers ‘/usr/local/munki/managedsoftwareupdate’, if there are new updates the logged in user is notified by Managed Software Center.

Note: Munki is also capable of installing software without any user intervention. This is achieved  by enabling 'Unattended install' in MunkiAdmin.

Will Managed Software Center work outside of the organisation?
As long as the web server hosting the Munki repository is externally accessible MSC will also work externally. If you plan on hosting a Munki repository on a public web server you should also configure SSL Client Certificates to ensure access to the repository is limited to permitted clients. 

How can I remotely trigger Munki clients to check for updates?
Using Apple Remote Desktop you can trigger groups of Macs to instantly check the Munki repository for updates and install.

Trigger Munki instantly regardless of whether a user is logged in:

/usr/local/munki/managedsoftwareupdate;/usr/local/munki/managedsoftwareupdate --installonly

Trigger Munki to run the moment the current user logs out or if nobody is currently logged in:

touch /Users/Shared/.com.googlecode.munki.checkandinstallatstartup

Tip: You can save those commands as Unix command templates in ARD.

How do I go about troubleshooting a Munki issue?
Since the Munki repository is just a bunch of files served out by a web server, almost all troubleshooting is performed from Munki clients.

On a client open Terminal and run:

sudo managedsoftwareupdate

This will immediately display any issues with the repository. You can also check the client log files stored in ‘/Library/Managed Installs/Logs/‘.

How do we update the version of Munki Tools running on clients?
AutoPkg makes it easy to keep your Munki clients up-to-date with frequently updated software (e.g. Flash Player, Java, etc.). You can quickly set up AutoPkg by following my guide here. There is a munkitools2.munki.recipe override included in my collection of recipe overrides. This will automatically import the latest release of Munki Tools into your Munki repository, as four separate packages:
munkitools_core.pkg: The required core command-line tools used by Munki.
munkitools_admin.pkg: The optional admin command-line tools for managing Munki repositories.
munkitools_app.pkg: The user-friendly Managed Software Center application.
munkitools_launchd.pkg: The launchd items to automate checking for updates.

The only package that should be assigned to a manifest is the munkitools_app, the rest are either marked as ‘required’ or ‘update for’ packages that would be installed regardless.

4 Comments