Munki traditionally requires additional cost and administrative effort to configure, maintain, and secure the Munki client software and a repository server. With the SimpleMDM Munki Integration, a hosted Munki deployment is now available out-of-the-box for SimpleMDM admins.
Why use Munki with an MDM?
Munki is an open-source project that layers additional app capabilities onto the native Apple MDM protocol.
Whereas MDM supports installing a subset of macOS package formats, Munki supports a much wider range of software, including the common .dmg (Apple Disk Image) format. Additionally, Munki provides a private, self-serve app store. Employees may view the software library, install the applications that they need, and receive automatic updates as they become available.
As a testament to Munki, many admins use it even when their MDM already includes a similar offering. It’s that good. The Munki codebase is maintained by an extensive roster of leading MacAdmins and is considered the best macOS software management solution available today.
How SimpleMDM integrates with Munki
Vanilla install – No black box client
SimpleMDM deploys the open-source, unmodified Munki client code. It integrates with SimpleMDM through standard built-in configuration options.
Unified app deployment interface
Munki app deployment is configured using the same interface used to deploy MDM apps. Administrators are able to upload custom apps, assign them to devices, and install with a click. In this manner, an admin can view DEP PreStage, MDM device and user channel, and Munki app deployments from a single interface. No additional command line tooling nor third-party hosting services required.
Security & performance
The Munki client benefits from SimpleMDM’s distributed, hardened infrastructure. Communications are authenticated using per-device PKI, device attestation, and of course, MDM. Requests are served by SimpleMDM’s cloud infrastructure and content delivery network (CDN), ensuring that software downloads are quick and reliable. Maintenance, security reviews, and investment associated with in-house infrastructure are eliminated.
Adding software
There are currently five methods for adding Munki-distributed software to your SimpleMDM account.
Shared apps
SimpleMDM accounts get immediate access to the Shared Apps directory: a growing collection of commonly used macOS software. Apps from this directory, such as Google Chrome or Zoom, for instance, can be added to your catalog and distributed to devices without any additional work on your part. SimpleMDM maintains these apps to ensure they remain up to date.
Custom app upload
Perhaps you have an in-house application or custom build that you would like to distribute. Apps can be uploaded to SimpleMDM using the admin UI or via API. SimpleMDM processes each upload and determines whether it can be distributed via MDM, Munki, or both.
Please note that macOS requires that binaries distributed via MDM are signed and review the process. Binaries delivered via Munki do not need to be signed.
AutoPkg & Munki tools
Does your business use AutoPkg or Munki command line tools, like munkiimport? The SimpleMDM Munki repo plugin allows AutoPkg and Munki to publish software directly to your SimpleMDM account. Any AutoPkg .munki recipe can be configured to upload to your SimpleMDM account and distribute to your fleet with just a couple of additional command line or recipe arguments. No refactoring is needed.
Customizable PkgInfo
PkgInfo files, which are traditionally generated with makepkginfo tool, contain metadata about the apps being installed, as well as installation behavior controls. SimpleMDM's Munki integration automatically generates the PkgInfo for apps by default, but it also offers the ability to customize them as needed.
With custom PkgInfo, admins have more control over that behavior as well as the end users’ experience when apps are being installed via the Managed Software Center. Customize the PkgInfo files, upload your own, or edit the existing file for your Munki apps all within the admin interface.
NoPkg support
NoPkgs are great for running scripts and automatically checking for changes in the installed state. They can also provide self-service scripts via the Managed Software Center. To use a NoPkg with SimpleMDM, you can create your own and upload it or copy an existing one and paste it into the text editor. See the official Munki documentation for examples of NoPkgs and instructions on how to create one.
After generating your NoPkg, use Munki-type assignment groups to assign and deploy your NoPkg. Combined with custom attributes, NoPkg support extends script execution capabilities beyond the current Scripts features already included in the admin interface.
Distributing software
Software assignment for Munki distribution works similarly to distribution using MDM. Assignment groups are created that associate software titles to devices. With the Munki Integration, you may create two different types of Munki assignment groups:
Managed: Software is automatically installed to devices without requiring any interaction from the user.
Self-Serve: Software is presented in the Munki client, available on assigned devices. Users may install the software on-demand.
Version pinning
A powerful feature of the Shared Apps directory is that app titles are automatically updated. While this is a boon in many cases, your business may require a specific version of a software title, or you may wish to test new software titles before releasing them to your fleet.
To accommodate for this, SimpleMDM assignment groups support version pinning for Shared Apps. Within the assignment group, you may select a specific version of the software title. This version will not change without your intervention. Always want the most recent? Select “latest” and your fleet will automatically receive new versions as they are released.
Interoperability with existing Munki deployments
The SimpleMDM Munki Integration relies on the same configuration files and binaries as most Munki deployments. Attempting to use both the Munki Integration and an in-house Munki deployment on the same macOS device will likely result in an overwritten or broken Munki configuration.
As a result, SimpleMDM only installs the Munki client on devices that you have designated to receive software using Munki. It is possible to use the SimpleMDM Munki Integration for one subset of devices and an in-house Munki deployment for a different subset of devices. We recommend being careful to avoid assigning the devices using the in-house deployment to any Munki assignment groups.
