Hosted Munki Integration

Last updated July 29, 2021

Munki traditionally requires additional cost and administrative effort to configure, maintain, and secure the Munki client software and a repository server. With the SimpleMDM Munki Integration, a hosted Munki deployment is now available out-of-the-box for SimpleMDM admins.

Why use Munki with an MDM?

Munki is an open-source project that layers additional app capabilities onto the native Apple MDM protocol.

Whereas MDM supports installing a subset of macOS package formats, Munki supports a much wider range of software, including the common .dmg (Apple Disk Image) format. Additionally, Munki provides a private, self-serve app store. Employees may view the software library, install the applications that they need, and receive automatic updates as they become available.

As a testament to Munki, many admins use it even when their MDM already includes a similar offering. It’s that good. The Munki codebase is maintained by an extensive roster of leading Mac Admins and is considered the best macOS software management solution available today.

How SimpleMDM integrates with Munki

Vanilla Install – No Black Box Client

SimpleMDM deploys the open-source, unmodified Munki client code. It integrates with SimpleMDM through standard built-in configuration options.

Unified App Deployment Interface

Munki app deployment is configured using the same interface used to deploy MDM apps. Administrators are able to upload custom apps, assign them to devices, and install with a click. In this manner, an admin can view DEP PreStage, MDM device and user channel, and Munki app deployments from a single interface. No additional command line tooling nor third-party hosting services required.

Security & Performance

The Munki client benefits from SimpleMDM’s distributed, hardened infrastructure. Communications are authenticated using per-device PKI, device attestation, and of course, MDM. Requests are served by SimpleMDM’s cloud infrastructure and content delivery network (CDN), ensuring that software downloads are quick and reliable. Maintenance, security reviews, and investment associated with in-house infrastructure are eliminated.

Adding Software

There are currently three methods for adding Munki-distributed software to your SimpleMDM account.

Shared Apps

SimpleMDM accounts get immediate access to the Shared Apps directory: a growing collection of commonly used macOS software. Apps from this directory, such as Google Chrome or Zoom, for instance, can be added to your catalog and distributed to devices without any additional work on your part. SimpleMDM maintains these apps to ensure they remain up to date.

Custom App Upload

Perhaps you have an in-house application or custom build that you would like to distribute. Apps can be uploaded to SimpleMDM using the admin UI or via API. SimpleMDM processes each upload and determines whether it can be distributed via MDM, Munki, or both.

Please note that macOS requires that binaries distributed via MDM are signed. Our article How To Sign macOS PKGs for Deployment with MDM details this process. Binaries delivered via Munki do not need to be signed.

AutoPkg / Munki Tools

Does your business use AutoPkg or Munki command line tools, like munkiimport? The SimpleMDM Munki repo plugin allows AutoPkg and Munki to publish software directly to your SimpleMDM account. Any AutoPkg .munki recipe can be configured to upload to your SimpleMDM account and distribute to your fleet with just a couple of additional command line or recipe arguments. No refactoring is needed.

Distributing Software

Software assignment for Munki distribution works similarly to distribution using MDM. Assignment groups are created that associate software titles to devices. With the Munki Integration, you may create two different types of Munki assignment groups:

• Managed: Software is automatically installed to devices without requiring any interaction from the user.
• Self-Serve: Software is presented in the Munki client, available on assigned devices. Users may install the software on-demand.

Version Pinning

A powerful feature of the Shared Apps directory is that app titles are automatically updated. While this is a boon in many cases, your business may require a specific version of a software title, or you may wish to test new software titles before releasing them to your fleet.

To accommodate for this, SimpleMDM assignment groups support version pinning for Shared Apps. Within the assignment group, you may select a specific version of the software title. This version will not change without your intervention. Always want the most recent? Select “latest” and your fleet will automatically receive new versions as they are released.

Interoperability With Existing Munki Deployments

The SimpleMDM Munki Integration relies on the same configuration files and binaries as most Munki deployments. Attempting to use both the Munki Integration and an in-house Munki deployment on the same macOS device will likely result in an overwritten or broken Munki configuration.

As a result, SimpleMDM only installs the Munki client on devices that you have designated to receive software using Munki. It is possible to use the SimpleMDM Munki Integration for one subset of devices and an in-house Munki deployment for a different subset of devices. We recommend being careful to avoid assigning the devices using the in-house deployment to any Munki assignment groups.

Questions?

Leave a comment below or reach out to reach out to our support team and we’ll get back to you right away.