Tonight I’ve released a test branch of Munki-in-a-Box that adds a significant feature: Out of the box HTTP Authentication over SSL for a higher level of security.
Previous versions of Munki-in-a-Box have leveraged transport layer security to make sure that the packages and manifests sent from the server to the client were not captured in transit. TLS is helpful for making sure that you’re talking with the right server, provided that you haven’t accepted a false certificate. This new version seeds the authentication credentials to the client through the ClientInstaller.pkg file created by the script, and then provides HTTP Basic Authentication setup files for your Server.
This does make a pretty stark change: The Software Repo now has to be in the Server’s path, and by default, it will be a folder marked
/Library/Server/Web/Data/Sites/Default. Server cannot apply .htaccess and .htpasswd files outside of
/Library/Server, so the repository has to live there directly instead of in
You can set the password for HTTP Basic Authentication in the initial declaration of variables.
Next up? Figuring out how to automate the setup of a CA for device certificate signing.