Slides from Munki Mistakes Made Right

Talking about the mistakes you’ve made in your career isn’t something a lot of people want to do. I spent an hour doing it today at Penn State, specifically about my Munki environments and how we’ve learned and adapted as an organization. I’ve expanded this talk since February, and it includes a conversation about how we’re slowly moving our munki repository toward cloud services like Cloudfront.

Munki Mistakes Made Right Slides


Slides from “Fighting With Physics: A Wi-Fi Workshop”

It was an incredible pleasure to present our workshop yesterday, “Fighting With Physics: A Wi-Fi Workshop”. We covered a lot of ground, answered a lot of questions, and broke a lot of old myths about Wi-Fi in the process. We’ve provided our slides below as a teaching aid to carry with you, as they often carry a lot of good and useful information for educating yourself and others.

As knowledge is like signal power, and decreases the further you get from in relation to the inverse of the square of the distance, feel free to reach out to us in Slack in #wifi, or via email, with any questions that you have, or if you need help accomplishing something in your environment.

Section 1 – RF, Wi-Fi & Jargon

Section 2 (Wide) – Mechanics and Troubleshooting

Section 3 – Wi-Fi Network Design

Section 4 – Network Security & Advanced Device Techniques

Munki Mistakes Made Right, a Mac AD UK Conference Presentation

Munki Mistakes Made Right, Tom Bridge, Technolutionary LLC

Munki Mistakes Made Right

Thanks very much to the folks at Amsys for having me out to London to present my talk this year at MacADUK, called Munki Mistakes Made Right. Over the last few years, I’ve done probably 25 munki installations, in groups as small as a few clients, or as many as a hundred. There are always challenges in implementing Munki well, especially as the product matures and grows and the ecosystem around it changes to add tools like autopkg, Jamf Pro, and other solutions that can be co-implemented with Munki.

I’ve learned a lot from my implementations, and I want to share that with everyone, that, as the saying goes, that my mistakes may be avoided for future generations of admins. I’ve prepared a few sections of this presentation on various mistakes I’ve made (security mistakes, configuration mistakes, catastrophic mistakes) and how we addressed them in practice. This talk shouldn’t be seen as totally conclusive of all the mistakes that one can make – folks are always coming up with new and creative ways to break things, as well they should – but it’s a good place for me to talk about the ways we’ve been changing our existing environments to make them better, stronger, and faster.

There are some things that I’ve released recently, code-wise, that get callouts in this presentation, and I want to make sure they’re called out clearly here for ease of use:

Munki in a Box 1.5.1

I released Munki in a Box 1.5.1 last week, and it was largely a maintenance release. The following changes should have been expected: by default, Munki in a Box will now setup HTTP Basic Auth set on a password of your choosing. In addition, it’s designed to be used with an HTTPS-native server, which you should be using anyway. The old security branch, which 1.5.0 was based on was something that walked that line, but it was time to fold that branch back in. So I did. 

In addition, MIAB 1.5.1 now creates local overrides for all the autopkg recipes that are specified in the initial command variable, to better handle the trust package portion of autopkg.

Change Munki, Tell Slack

As part of the talk, I’m going to explain why a configuration manager or Mac-capable MDM is your best friend, but facing a lack of those for budgetary or administrative reasons, I’m going to give you a tool to deploy changes to your fleet in reportable ways.

If you just need to change one setting, there’s Change Munki, Tell Slack.

If you need to change an array of settings, there’s Change Munki, Tell Slack Many Things.

Both will handle a scripted change of your Munki preferences file and pass that information along to a Slack channel of your choosing via a webhook.

Slides & Notes

I’m making my slides and presenters notes available as a PDF for Download, in case you might enjoy it. If you have comments on the scripts above, please let me know, or suggestions for converting them to python, both are welcome.

A group of laptops, set aflame by bad profile,  cost money and time

Why Configuration Management Matters

Munki Mistakes Made Right (PDF)

Testing iOS 10 & Sierra in Your Environment

Testing Sierra & iOS 10 Slide

Last night, I presented at MacDMV on the importance of Testing iOS 10 and Sierra in your environment. The slides and presenters notes are available as a PDF Download. You can also watch the presentation below via Facebook video. The presentation begins about 3:30.

Testing Sierra and iOS 10 is incredibly important, because you need to be ready on Day 1 in case your users update ahead of your wishes. You need to know whether you can make your existing systems work, or if you’re going to have to expend the political capital to roll them back. Do you have a testing setup? Do you have a testing plan? Do you know how to submit good feedback to Apple? This presentation will help.

I’ve also built a Sample Testing Checklist for your environment, available as a PDF below, and also as an editable OmniOutliner file so you can make your own editable list.

Helpful Links:

Maslow’s Wi-Fi
Mike Boylan’s 2014 Presentation: Getting Your Issue on Apple’s Radar
Sample Testing Checklist PDF
Testing Checklist OO3 File

MacDevOps YVR 2016: Securing Munki

Securing Munki

Below are the slides for my 2016 Talk at MacDevOps on Securing Munki. The talk was a good way to revisit what I’ve done with Munki in a Box and discuss some of the maybe not-so-great choices that were made along the way to get to where we are now with the security branch.

The talk focuses on the nature of the munki transaction, and where your deployment system can be vulnerable to attacks from casual interference, dedicated individuals with a grudge or a motive, or larger actors. There is also some advice about how to mitigate the problems that are presented by the architecture.

I’m not a fulltime security anything, but I’ve learned a lot in the last year by doing things that maybe aren’t advisable any longer. So, to anyone who used MIAB before 1.5.0 beta 2, there’s some work you should do to secure your repository if you meet certain use cases, and I strongly recommend that you adopt SSL encapsulation of the munki transaction, and the use of HTTP Basic Auth to secure your repository against prying eyes.

I’ll be making some changes to MIAB over the summer to automate the creation of a CA and enrollment of device certificates using the micromdm scep library and a web server that actually isn’t part of (likely to be the Go-based Caddy server as described by Viktor in a great blog post)

Download my slides & notes!

MacAD UK: A WiFi Toolkit

Mad Admin & Developers Conference UK

Chris Dawe from Wheelwrights LLC and I co-presented this deck at the Mac Admin & Developers Conference in London on Tuesday, February 9th 2016. Our focus was on leveraging native, 3rd party, and cross platform tools to help manage, troubleshoot and plan small, medium and large-scale WiFi networks across sites large & small.

Our presentation notes are available for download as a PDF file: A WiFi Toolkit – MacAdUK 2016

Some tools that we’ve mentioned include:

Some resources that are helpful: