Jamf Nation Community

Greg Neagle addressed some of this in this post:

https://jamfnation.jamfsoftware.com/discussion.html?id=6871

However, it's a little unclear as to what you set up. Did you install the munki client on a machine or did you set up a munki server?

We have a munki server set up in our organization but it's essentially dormant. On occasion we use it to push updates that are problematic within Casper (the most recent being Office 2011 14.2.3).

However, we do use the munki client as our primary mechanism to install Apple software updates. We do this because we have a fair amount of standard users in our company and munki allows for admin-password-less installs. It's also good because it runs on an hourly basis and the nagging is a good thing. If we relied solely on Self Service most of our folks would be several point releases behind on Apple software.

Here's some info on the new 0.8.4 functionality:

http://code.google.com/p/munki/wiki/PkginfoForAppleSoftwareUpdates

bbass/gregneagle: that link is where I learned about the 0.8.4.

What I did was go to the munki wiki and they had instructions on how to do a "demonstration setup" (https://code.google.com/p/munki/wiki/DemonstrationSetup) + the pkginfoForAppleSoftwareUpdates info.

I assume that was setting up a munki server (although I just setup on a temp box, more to do a proof of concept to see how it would work as I couldn't find many youtube videos on Munki in action).
On the test box I can manually launch the .app - but I couldn't find any info about the grace period or if there was a way to integrate it into workign wtih casper to call the Munki software update app...

jwojda:

If you have some specific questions, ask them here or on the munki-dev list and we can try to get them answered for you.

I know this is a little off topic but in response to bbass, we just have a self service policy for software updates and it allows standard users to install them.

khowe:

We have a Self Service policy to do that as well. It's not that Self Service is deficient it's just that our users do not have a habit of seeking updates. Since Self Service is essentially a manual interaction - you have to launch it yourself - we find that we have to nag folks ourselves to get people to run their updates.

The munki client works more like Apple's software update system. It recognizes when there is an update and it pops up the Managed Software Update window for the user. This mirrors Apple's procedure (before Mountain Lion, at least) so it's also more familiar to folks.

In short, it's easier to let Managed Software Update gently nag them rather than the Casper Administrators.

The other bit about munki that we like is that it allows us to maintain a diverse toolset. Casper is a fantastic system and it has literally changed the way we do our job (for the better, of course) but sometimes there is an another tool that just fits our circumstances (certainly not everybody's) a little better. This is one of the reasons why DeployStudio is a part of our imaging procedure.

Hope that clarifies things a bit.

@bbass - I'm interested in trying to do what you just described, have the Munki client recognize there's an update and then take over for Software Updates with progressively more forceful nagging (ending in a forced install). I'm not super familiar with Munki so I don't know what I don't know to ask the appropriate questions. But what you said sounds like my end goal.

jwojda:

In that case, I would look here:

https://code.google.com/p/munki/wiki/AppleSoftwareUpdatesWithMunki

Use Casper to install the munki package on the machines and then set the preferences with defaults write commands. Pretty simple, really.

We've been running this for over a year now and it works very well.

I think that's where I'm getting lost, that link has a portion at the bottom talking about 8.4 and doing more specific configs - https://code.google.com/p/munki/wiki/PkginfoForAppleSoftwareUpdates. If I'm reading it right, it looks like I need to find each individual apple pkginfo and put them into munki manually and tell it to force install? That's well and great, but there's hundreds of updates sitting on our internal SUS. So is there an easier way to import them or a global setting i can use since I just want it for updates (and maybe oracle java updates)?

Greg will obviously be able to speak to this better than I can but my understanding is this:

With v0.8.4.x you can now have more control over how Apple software updates are installed. This necessitates using the munki server component and adding the metadata for packages only if you want them to work in a manner that is not standard. Thus, if you have just a few updates that you want to force install or delay install or whatever the new capabilities are then you only need to add the metadata for those particular packages. The rest can just be served up normally without metadata.

As we're getting into an area that is outside the scope of Casper, further questions might be best asked in the munki-dev group. You can find that here:

https://groups.google.com/forum/?fromgroups=#!forum/munki-dev

Hope that helps.

Forgot to add...

It should be noted that you don't need the munki server at all to run in Apple Software Update Only mode. Just set these three preferences on your machine and you should be good to go.

defaults write /Library/Preferences/ManagedInstalls InstallAppleSoftwareUpdates -bool True
defaults write /Library/Preferences/ManagedInstalls AppleSoftwareUpdatesOnly -bool True
defaults write /Library/Preferences/ManagedInstalls SoftwareUpdateServerURL "Your SUS here"

The extras in v0.8.4.x require munki server and the additional metadata.

Hopefully, that clears up things a little.

I would like to secure the communication between the client and munki via certificate:

Any ideas how to use Casper for this? Anyone used the Jamf-CA and client certs to secure the munki communication ?
Thank for your input!

@michaelhusar

We are trying to achieve the exact same thing. Were you able to do this?

@michaelhusar

have you looked at jamjar?

@Nix4Life Thank you for pointing that out. We do a very similar thing to manipulate the localonlymanifest with Jamf and/or Antsframework https://github.com/ANTS-Framework
My question was about the communication to munki. Right know we have keys. I was wondering if there is a way to use Jamf as CA-GUI and the use the certs to secure the communication. Since we did not succeed so far we were are looking into https://github.com/micromdm/micromdm and are doing a plug-in for nginx.