Munki Mistakes Made Right
Thanks very much to the folks at Amsys for having me out to London to present my talk this year at MacADUK, called Munki Mistakes Made Right. Over the last few years, I’ve done probably 25 munki installations, in groups as small as a few clients, or as many as a hundred. There are always challenges in implementing Munki well, especially as the product matures and grows and the ecosystem around it changes to add tools like autopkg, Jamf Pro, and other solutions that can be co-implemented with Munki.
I’ve learned a lot from my implementations, and I want to share that with everyone, that, as the saying goes, that my mistakes may be avoided for future generations of admins. I’ve prepared a few sections of this presentation on various mistakes I’ve made (security mistakes, configuration mistakes, catastrophic mistakes) and how we addressed them in practice. This talk shouldn’t be seen as totally conclusive of all the mistakes that one can make – folks are always coming up with new and creative ways to break things, as well they should – but it’s a good place for me to talk about the ways we’ve been changing our existing environments to make them better, stronger, and faster.
There are some things that I’ve released recently, code-wise, that get callouts in this presentation, and I want to make sure they’re called out clearly here for ease of use:
Munki in a Box 1.5.1
I released Munki in a Box 1.5.1 last week, and it was largely a maintenance release. The following changes should have been expected: by default, Munki in a Box will now setup HTTP Basic Auth set on a password of your choosing. In addition, it’s designed to be used with an HTTPS-native server, which you should be using anyway. The old security branch, which 1.5.0 was based on was something that walked that line, but it was time to fold that branch back in. So I did.
In addition, MIAB 1.5.1 now creates local overrides for all the autopkg recipes that are specified in the initial command variable, to better handle the trust package portion of autopkg.
Change Munki, Tell Slack
As part of the talk, I’m going to explain why a configuration manager or Mac-capable MDM is your best friend, but facing a lack of those for budgetary or administrative reasons, I’m going to give you a tool to deploy changes to your fleet in reportable ways.
If you just need to change one setting, there’s Change Munki, Tell Slack.
If you need to change an array of settings, there’s Change Munki, Tell Slack Many Things.
Both will handle a scripted change of your Munki preferences file and pass that information along to a Slack channel of your choosing via a webhook.
Slides & Notes
I’m making my slides and presenters notes available as a PDF for Download, in case you might enjoy it. If you have comments on the scripts above, please let me know, or suggestions for converting them to python, both are welcome.
Why Configuration Management Matters
Munki Mistakes Made Right (PDF)