Endpoint Services, Munki, Munki v5
Vital information about the significant changes introduced in Munki v5 and how they affect end users.
Munki Mac Endpoint Management
University of Illinois IT Pros leveraging Technology Services Endpoint Services Munki Mac Endpoint Management systems.
- General Information
- Managed Software Center and Apple Updates (Apple Silicon/M1 Hardware)
- Managed Software Center and Apple Updates (Intel Hardware)
- Additional Update Encouragement
- Aggressive Update Notification
- Apple Forced Updates Deprecation
- Deploying Munki v5
- Staying on Munki v4
- Labs and Shared Workstations
- Sample Customer Communication (Intel Hardware)
- Munki Changelog
Beginning with macOS 10.14, handoffs between Munki and Apple's softwareupdate tool (which Munki uses to install Apple software updates) became problematic, with Munki often failing to trigger Apple software updates at the login window and updates not completing.
In addition, with macOS 11 on Apple Silicon/M1 hardware, installing Apple software updates via Munki is no longer possible due to changes Apple has made.
Munki release v5 addresses this issue by not attempting to install certain Apple updates on macOS 10.14 (Mojave) and above. Specifically:
- On Intel hardware, Munki v5 does not install Apple software updates that require a restart. Managed Software Center instead directs users to use System Preferences - Software Update to install these updates.
- Apple software updates that don't require a restart
- Non-Apple software updates (e.g. Google Chrome, Microsoft Office, Adobe applications)
- All software and updates (including those requiring restarts) on macOS 10.13 and below
- On Apple Silicon/M1 hardware, Munki v5 no longer checks for Apple software updates, and Managed Software Center does not notify users of any available Apple software updates.
In the following screenshot, Managed Software Center offers a typical set of updates, including an Apple update that requires a restart:
When "Update All" is selected, Munki v5 displays a dialogue directing users to use System Preferences - Software Update to install the Apple update that requires a restart:
If the user clicks "Skip these updates", the Apple update requiring a restart is removed from the list of updates in Managed Software Center. Clicking "Update All" will install the remaining updates in the usual fashion. At the next Munki update check, any skipped Apple updates will be offered again.
However, if the user clicks the "Install Now" button, Munki v5 will launch System Preferences - Software Update.
If the user selects the "More info" link, all pending Apple Software updates are displayed with additional information, including an "Install Now" button:
- If the user selects "Install Now", the update will proceed; after a restart, Munki will install any remaining updates. Unlike major version upgrades, Apple Software Updates can be performed by standard/non-admin accounts.
- If the user instead selects "Close" and then quits System Preferences, no updates will be installed, Apple or otherwise, and Munki will re-offer the updates at the next update check.
- Action is required to initiate the software update. Apple Software Updates will not begin automatically without user action.
Note that the major macOS upgrade offer (in this example, for Big Sur on a Catalina system) is prominent, and might mislead the user into incorrectly selecting "Upgrade Now" instead of correctly selecting the "More info" link. While Apple does provide a mechanism to suppress major OS upgrade offers, this functionality requires MDM enrollment. Standard/non-admin accounts can click the "Upgrade Now" button to download a macOS upgrade installer, but administrator credentials are required to perform the upgrade itself.
With Munki v5, Managed Software Center will provide additional encouragement and cues intended to guide end users to install updates in a timely fashion.
- Any updates (Apple or otherwise) pending for more than two days will be labeled.
- If the user attempts to quit Managed Software Center when any update (Apple or otherwise) has been pending for more than 14 days, a "Pending updates" reminder is presented, and the "Quit" button is disabled for 5 seconds. Managed Software Center will quit on the second request.
- Munki v5's update encouragement behavior cannot be disabled.
Munki v5 also introduces "aggressive update notification" mode to further discourage update deferral. In addition to the new update encouragement behavior, if the user attempts to quit Managed Software Center when any update (Apple or otherwise) has been pending for more than 14 days:
- Only the Updates tab is available
- Access to the Command-Tab task switcher and Dock is removed
- The ability to click other applications to switch to them is blocked
- Other applications appear grayed out
- Force-quit is blocked
- Several other items in the Apple menu are disabled
Aggressive update notification mode can be configured to shorten or lengthen the default interval of 14 days by using one of the following optional configurations.
- Munki - 7 Days Before Aggressive Update Notification
- Munki - 21 Days Before Aggressive Update Notification
- Munki - 28 Days Before Aggressive Update Notification
- Munki - No Aggressive Update Notification
Because the force_install_after_date key will no longer work for Apple metadata packages on macOS 10.14 and up under Munki v5, Endpoint Services has deprecated the global_free_appleforcedupdates catalog. Please delete this catalog from your manifest templates so that it will not be included in any newly-onboarded clients.
When you are ready to upgrade your Macs to Munki v5, modify your unit manifests to replace munkitools and all munkitools_x packages with munkitools5.
- Open your repo in MunkiAdmin and select the Manifests tab, either from the toolbar or by typing Command-3.
- Click the Search button and configure a search for "Any installs item" "contains" "munkitools".
- From the search results, open each manifest and go to the Managed Installs section.
- Click the plus button and enter munkitools5 in the search field; the search should return all munkitools5_xyz packages. Select and add all six packages shown below.
- Back in the list of Managed Installs, click to select munkitools and all munkitools_xyz packages -- e.g. munkitools_core, munkitools_launchd, etc... and click the minus button to delete them.
- Continue until all manifests have been modified to replace all munkitools packages with their munkitools5 counterparts.
- Save your changes.
For the time being, Endpoint Services will continue to make Munki v4 available under the same name key. Units needing extra time to prepare for v5 do not need to take any action in order to stay on v4. However, all units will eventually need to transition to v5.
Note that Big Sur requires Munki v5.
Apple currently provides no native mechanism for automating software updates without user interaction. The Endpoint Services team has a workaround for labs, kiosks, and other scenarios where asking end users to install updates is not feasible. If you have need of this solution in your environment, please contact the EPS team.
For your convenience, the following is a sample email for informing your Mac users about the coming changes to Managed Software Center behavior.
The following information is for faculty and staff with IT-managed Macs, and contains important information about upcoming changes to the way software updates are handled.
Some of you have experienced issues with Apple software updates hanging at the login window, necessitating computer restarts and resulting in workflow disruptions. In response to this issue, on [date], we are releasing a new version of Managed Software Center, the application used to keep macOS updated.
Once your Mac has received the Managed Software Center update, you will see the following changes to how software updates are handled:
- Managed Software Center will no longer attempt to install Apple software updates that require a restart.
- Instead, Managed Software Center will launch System Preferences - Software Update, which will offer the updates for installation.
- You must take action to install updates.
- Updates will not install automatically without action on your part.
- Depending on the version of macOS you are using, you may see an ‘Upgrade Now’ button. Do not click ‘Upgrade Now’ without first contacting your IT support team. Instead, click the ‘More info’ link, which will show you updates for the version of macOS already installed on your Mac.
Subscribe to the Munki changelog if you wish to be notified about upcoming product and service changes affecting Munki and MunkiReport. (The 'Subscribe to changes' button is located just above the page footer.)