Administrators face numerous challenges when managing a macOS deployment. While an MDM may solve many of them, there are some workflows that can benefit from a little extra help. In this article, we introduce you to a variety of open source technologies that can automate workflows or enable additional functionalities for Mac deployments.
It is worth mentioning that many of these tools require a fair amount of technical aptitude to successfully implement. Additionally, you may find that these solutions are more than what is necessary to accomplish your goals. For this reason, we recommend first identifying the specific requirements for your deployment. Then evaluate which of them can be covered adequately using out-of-the-box features offered by your device management solution. Finally, look for options to address any remaining needs.
Munki is a tool for managing software installations on macOS. Perhaps one of the most common and reputable open-source solutions known to the MacAdmin niche, we would be remiss to not include it on this list.
Its features are highlighted by an internal app store, known as the Managed Software Center. This provides users with a simple interface and self-serve experience for installing and updating software. Admins can also remotely deploy unsigned packages otherwise not permitted by Apple MDM, force software installations, updates and removals, and much more.
Munki is commonly integrated into deployment workflows alongside MDM and the Apple Device Enrollment Program (DEP). This offers a pleasant onboarding experience for users and admins alike.
In addition, there have been various open-source contributions to further enhance Munki workflows. To name a few:
Sal is a client-based reporting dashboard for Munki that allows you to create hierarchical permission sets for viewing reports on your Mac deployment. For example, you can configure reporting permissions for the manager of an individual department allowing them to view only reports for their department. It also provides the ability to create custom reporting widgets, search for specific machines and deployment information, and even allows you to build your own plug-ins.
This is a tool for building macOS PKGs via the command line as part of your Munki deployment.
The second iteration of MunkiWebAdmin, this tool provides a web-based interface for Munki administrators for managing their Munki repositories.
This provides a web-based dashboard allowing you to run and view various reports on your Mac deployment.
Much of the deployment process is often shrouded in mystery from the perspective of the device user, particularly during DEP enrollment. DEPNotify offers end-users transparency and insight into the magic that is happening behind the scenes through a sleek interface displayed during the initial setup process. It can be used to show custom messaging and visuals indicating the device’s progress, letting users know what is happening.
InstallApplications (not to be confused with the InstallApplication MDM protocol command) can often be found as a central piece of Mac DEP enrollment workflows as the initial signed package deployed via MDM. This lightweight package can then handle the installation and/or configurations of additional software, profiles, and scripts. It is commonly used to deploy other MDM tools, such as Munki and DEPNotify, during the initial device setup process following DEP enrollment.
Similar to Munki-pkg, AutoPKG is a command line tool for creating macOS packages. It is designed for use with Munki but can be used elsewhere for package creation. AutoPKG supports a feature called “recipes”, which are prebuilt sequences for automating many tasks of the build process. You can build your own recipes or even use pre-existing recipes to save even more time.
This free Mac app adds a slick, easy-to-use interface to the AutoPKG tool; a nifty addition for admins who prefer a more visual experience while managing their packages and recipes. It allows you to view your recipes, add new components with a few clicks, discover and subscribe to new recipes, and schedule checks for existing recipes, amongst other tasks.
NoMAD, short for “No More Active Directory”, fills a unique gap for Mac deployments that have traditionally used mobile accounts bound to Active Directory. Specifically, it provides admins with the ability to decouple their deployment from Active Directory while retaining the benefits of binding user accounts to it. User accounts remain local while NoMAD handles all the interactions with Active Directory, and it can be implemented while still bound, allowing for a smoother transition process. NoMAD also supports additional functionalities including single sign-on at the macOS sign-in window as well as password synchronization.
Ensuring that FileVault is enabled on company-owned Macs is often a high priority. Apple MDM has built-in support for FileVault enforcement and key escrow, but Crypt expands on these capabilities. Crypt can be configured on your own server for storing FileVault recovery keys. Furthermore, it can enforce FileVault when devices are offline, enable admins to configure certain permissions for users, and offers a self-serve functionality to allow users to request their own recovery keys.
The process of building macOS PKGs used only for deploying scripts can be repetitive and a hassle. Additionally, admins often do not want the package to leave anything behind after the script has run. This clever tool makes it easy for admins to quickly build packages from their scripts that can then be delivered via MDM.
Virtual machines can be incredibly useful for testing deployment strategies and implementations. For example, they can be used to test macOS enrollments with Apple DEP. However, creating or obtaining a VM image can be a tricky and time-consuming process. Vfuse simplifies this task by creating a VMware Fusion VM image directly from a DMG that has not been booted. It is commonly used with DMGs created using AutoDMG.
AutoDMG allows you to quickly and easily convert a macOS installer downloaded from the Mac App Store into a deployable system image. Amongst other things, it can be particularly useful for creating system images that can then be used with Vfuse to generate a VM image.
Managing macOS software updates for entire deployments can be a cumbersome task. MacAdmins have traditionally had limited options for handling them. For example, it may not always be desirable to update all machines to the most recent OS version available in the App Store. Additionally, many devices downloading OS updates simultaneously can put a lot of stress on an individual network. Reposado allows you to download Apple Software Update catalogs and host them on your own server. As a result, admins have more control over installed versions. These update servers can be hosted locally which is particularly helpful for large deployments to reduce the impact on the connected network. It also features a command line tool that lets you create multiple branches of the update catalogs, which is useful for tasks such as testing new releases on a subset of devices.
These are just a handful of the open-source tools that can provide efficient solutions to tasks that MacAdmins may be faced with. Feel free to include additional suggestions or recommendations below for anything we may have missed. Finally, thank you to the contributors to these projects for their efforts in creating these useful solutions.
SimpleMDM is a mobile device management solution that helps IT teams securely update, monitor, and license Apple devices in a matter of minutes — all while staying on top of Apple updates automatically.