Endpoint Services, How can I use both Workspace ONE and Munki to manage my Macs?

Information on macOS endpoint management using a combination of Workspace ONE and Munki.

Systems

Munki Mac Endpoint Management
Workspace ONE Unified Endpoint Management (UEM)

Affected Customers

University of Illinois IT Pros leveraging Technology Services Endpoint Service Munki Mac Endpoint Management and Workspace ONE UEM

Actions

General Information
What Workspace ONE can do
What Munki can do
Using Workspace ONE and Munki together to manage your Macs

General Information

Munki and Workspace ONE (formerly known as AirWatch) complement one another and together provide a full suite of macOS endpoint management tools. Neither Munki nor Workspace ONE provides traditional OS imaging, which Apple no longer supports.

What Workspace ONE can do

Workspace ONE is VMWare's unified endpoint management (UEM) solution with support for multiple platforms including macOS. It provides:

Automatic enrollment of Apple DEP-provisioned devices
Management of secure kernel and system extension loading
Enforcement of device-specific security profiles
Remote management and configuration profiles
Compliance with Apple's stated reliance on unified endpoint management (UEM) or mobile device management (MDM) for macOS management, including OS updates

What Munki can do

Munki is a macOS endpoint management service based on the open-source Munki project. It allows IT Pros to automate the installation and removal of applications (many of which are already packaged by the Endpoint Services team) as well as some support for certain configuration types. Munki is intended for macOS only; no other operating systems are supported. It provides:

Intel hardware only: macOS upgrades (either in-place upgrades or erase-and-install workflows)
Intel hardware only: certain Apple software updates
Adobe products
Microsoft products, including Office
WebStore applications
Many pre-packaged common or free applications (view list of available titles)

Using Workspace ONE and Munki together to manage your Macs

With each successive macOS release, Apple has introduced an increasing number of configuration changes that can only be implemented via a UEM or MDM solution like Workspace ONE, but not via traditional methods such as scripts, Apple Remote Desktop management, or even Munki. An ideal macOS deployment workflow therefore utilizes both Workspace ONE and Munki in the following way:

DEP-provisioned devices are enrolled into Workspace ONE at initial boot

Older, non-DEP devices can be manually enrolled into Workspace ONE

Workspace ONE completes a specified set of desired staging tasks, including:

Local account creation for DEP devices
AD binding
Configuring security settings
Installation of Multi-Tenant Munki tools and configuration
Managing Apple software updates

Munki runs and installs non-Apple App Store applications, certain Apple Software Updates (Intel hardware only), and configurations

Contact the EPS team

Keywords:

EPS MTM munki "multi tenant" multi-tenant mac macos endpoint packaging TechS-EPS-MTM TechS-EPS-WS1 mdm airwatch workspace one "workspace one" enroll uem

Doc ID:

87799

Owned by:

EPS Distribution List in University of Illinois Technology Services

Created:

2018-11-16

Updated:

2022-08-01

Sites:

University of Illinois Technology Services

0 0 Comment Suggest new doc Subscribe to changes