Last updated June 12, 2020
Update 6/12/2020: SimpleMDM now integrates with Munki, providing an already-on, out-of-the-box Munki infrastructure without any additional hosting or setup requirements. You may follow this link to learn more.
This article discusses utilizing the Apple Device Enrollment Program (DEP), SimpleMDM, and Munki to create a largely automated deployment strategy.
Munki is an open source toolset used to manage software installation (and removal) on macOS computers. For companies who wish to provide their employees with a professional, easy to use internal app store experience, Munki is the gold standard.
SimpleMDM is an Apple-exclusive device management solution in the cloud. SimpleMDM can add configurations to devices like WiFi, VPN, or an Exchange account. It can apply security policies, like requiring a complex password. It can also automatically install software packages (like Munki!). Update 5/18/17: SimpleMDM now supports package installation during DEP setup, before a user account is created. This is often referred to as “PreStage” installation.
Apple Device Enrollment Program (DEP) allows companies to purchase Apple devices that automatically enroll in an MDM solution when turned on for the first time. It has been a huge boon to macOS and iOS administrators because it allows them to drop-ship devices to remote employees and offices without first competing an inventory check-in and configuration procedure.
There are various forces that are making this technology stack increasingly more appealing.
For one, Apple has stated that in 2017, with the release of High Sierra, macOS will begin utilizing the Apple File System (APFS) as a replacement to HFS+. APFS is the same filesystem currently in use by iOS, tvOS, and watchOS. APFS is a considerably more “managed” or “locked down” filesystem, so some of the existing macOS management toolsets that rely on imaging or low level control of the filesystem may no longer function. For more information on this, Rich Trouton has written an excellent article entitled Imaging will be dead (soon-ish). A move in this direction indicates Apple’s intention for an MDM-first macOS management methodology.
Second, the introduction and popularity of Apple DEP provides for a more hands-off deployment strategy than previously available.
Munki has been a big hit because gives IT and systems engineers a popular tool that employees find easy to use. Engineers have a painless way to manage software outside of imaging solutions and employees are empowered with their own tools. Pairing Munki with DEP and SimpleMDM makes for a very compelling deployment story.
SimpleMDM interfaces directly with a business Apple DEP account. As a result, SimpleMDM configures devices in the DEP account to enroll with SimpleMDM once they’ve initialized.
When a macOS computer initializes, it checks in with Apple DEP for further instruction. Apple DEP will instruct the device to enroll with SimpleMDM. The device will then enroll.
Upon enrollment, SimpleMDM will push various configurations and the Munki software package to the macOS computer, which it will then install. Behind the scenes, this installation is achieved using native MDM functionality, namely the InstallApplication command. The Munki software can optionally utilize configuration files provided by SimpleMDM to identify itself and load an initial Munki configuration.
The deployment process, from the user’s perspective, looks like this:
1. Open a DEP account with Apple
Setting up an Apple DEP account with Apple can take a few days and requires that your organization has a D.U.N.S. number. For this reason, we suggest this as a first step. You can apply for an Apple DEP account on Apple’s website.
2. Configure your Munki environment
This article does not go into the specifics of configuring and deploying Munki. We suggest reading the Getting Started guide Munki provides on their website.
3. Open a SimpleMDM account
If you haven’t already, open a SimpleMDM account from our website. We offer an up-to-date guide on account planning and setup on our support portal. As a general guide, you will want to complete these steps:
Note: When it comes time to purchase additional devices, you will need to notify SimpleMDM to configure DEP properly for them. Please refer to our DEP enrollment article on how to sync new DEP devices with SimpleMDM.
We are happy to discuss your particular deployment and requirements. Feel free to contact us through our website, support channel, or email. Our work with our diverse customer base allows us to share common best practices and successful approaches to reach your goals.