Endpoint Services, Munki, Munki v5

Vital information about the significant changes introduced in Munki v5 and how they affect end users.


Munki Mac Endpoint Management

Intended Audience

University of Illinois IT Pros leveraging Technology Services Endpoint Services Munki Mac Endpoint Management systems.


General Information

Beginning with macOS 10.14, handoffs between Munki and Apple's softwareupdate tool (which Munki uses to install Apple software updates) became problematic, with Munki often failing to trigger Apple software updates at the login window and updates not completing.

In addition, with macOS 11 on Apple Silicon/M1 hardware, installing Apple software updates via Munki is no longer possible due to changes Apple has made.

Munki release v5 addresses this issue by not attempting to install certain Apple updates on macOS 10.14 (Mojave) and above. Specifically:

  • On Intel hardware, Munki v5 does not install Apple software updates that require a restart. Managed Software Center instead directs users to use System Preferences - Software Update to install these updates. Munki will still install the following:
    • Apple software updates that don't require a restart
    • Non-Apple software updates (e.g. Google Chrome, Microsoft Office, Adobe applications)
    • All software and updates (including those requiring restarts) on macOS 10.13 and below
  • On Apple Silicon/M1 hardware, by default, Munki v5 does not check for Apple software updates, and Managed Software Center does not notify users of any available Apple software updates.
On Apple Silicon/M1 hardware, by default, Munki v5 will not check for, notify about, or install any Apple software updates.

Managed Software Center and Apple Updates (Intel Hardware)

In the following screenshot, Managed Software Center offers a typical set of updates, including an Apple update that requires a restart:

Pending Updates

When "Update All" is selected, Munki v5 displays a dialogue directing users to use System Preferences - Software Update to install the Apple update that requires a restart:

Update All

If the user clicks "Skip these updates", the Apple update requiring a restart is removed from the list of updates in Managed Software Center. Clicking "Update All" will install the remaining updates in the usual fashion. At the next Munki update check, any skipped Apple updates will be offered again.

Skip These Updates

However, if the user clicks the "Install Now" button, Munki v5 will launch System Preferences - Software Update.

Install Now

If the user selects the "More info" link, all pending Apple Software updates are displayed with additional information, including an "Install Now" button:

More Info

  • If the user selects "Install Now", the update will proceed; after a restart, Munki will install any remaining updates. Unlike major version upgrades, Apple Software Updates can be performed by standard/non-admin accounts.
  • If the user instead selects "Close" and then quits System Preferences, no updates will be installed, Apple or otherwise, and Munki will re-offer the updates at the next update check.
  • Action is required to initiate the software update. Apple Software Updates will not begin automatically without user action.

Note that the major macOS upgrade offer (in this example, for Big Sur on a Catalina system) is prominent, and might mislead the user into incorrectly selecting "Upgrade Now" instead of correctly selecting the "More info" link. While Apple does provide a mechanism to suppress major OS upgrade offers, this functionality requires MDM enrollment. Standard/non-admin accounts can click the "Upgrade Now" button to download a macOS upgrade installer, but administrator credentials are required to perform the upgrade itself.

Install Now

Additional Update Encouragement

With Munki v5, Managed Software Center will provide additional encouragement and cues intended to guide end users to install updates in a timely fashion. 

  • Any updates (Apple or otherwise) pending for more than two days will be labeled.
  • If the user attempts to quit Managed Software Center when any update (Apple or otherwise) has been pending for more than 14 days, a "Pending updates" reminder is presented, and the "Quit" button is disabled for 5 seconds. Managed Software Center will quit on the second request.
  • Munki v5's update encouragement behavior cannot be disabled.

Aggressive Update Notification Mode

Munki v5 also introduces "aggressive update notification" mode to further discourage update deferral. In addition to the new update encouragement behavior, if the user attempts to quit Managed Software Center when any update (Apple or otherwise) has been pending for more than 14 days:

  • Only the Updates tab is available
  • Access to the Command-Tab task switcher and Dock is removed
  • The ability to click other applications to switch to them is blocked
  • Other applications appear grayed out
  • Force-quit is blocked
  • Several other items in the Apple menu are disabled

Aggressive update notification mode can be configured to shorten or lengthen the default interval of 14 days by using one of the following optional configurations.

  • Munki - 7 Days Before Aggressive Update Notification
  • Munki - 21 Days Before Aggressive Update Notification
  • Munki - 28 Days Before Aggressive Update Notification
Aggressive update notification mode may also be disabled with the following configuration, although Endpoint Services advises against its use in most cases in order to avoid unpatched and vulnerable systems.
  • Munki - No Aggressive Update Notification

Apple Forced Updates Deprecation

Because the force_install_after_date key will no longer work for Apple metadata packages on macOS 10.14 and up under Munki v5, Endpoint Services has deprecated the global_free_appleforcedupdates catalog. Please delete this catalog from your manifest templates so that it will not be included in any newly-onboarded clients.

Deploying Munki v5

Note: Before deploying Munki v5 in your environment, ensure that Macs are not configured to block non-admins from installing Apple software updates.

If you do not, your end users may have no way to install many Apple updates.

For assistance removing existing configurations, please contact the EPS team.

When you are ready to upgrade your Macs to Munki v5, modify your unit manifests to replace all munkitools and munkitools_xxx packages with munkitools5 and munkitools5_xxx packages.

  1. Open your repo in MunkiAdmin and select the Manifests tab, either from the toolbar or by typing Command-3.
  2. Click the Search button and configure a search for "Any installs item" "contains" "munkitools".
    MunkiAdmin Manifest Search
  3. From the search results, open each manifest and go to the Managed Installs section.
    MunkiAdmin base default manifest
  4. Click the plus button and enter munkitools5 in the search field; the search should return all munkitools5_xyz packages. Select and add all six packages shown below.
    munkitools5 search
  5. Back in the list of Managed Installs, click to select munkitools and all munkitools_xyz packages -- e.g. munkitools_core, munkitools_launchd, etc... and click the minus button to delete them.

  6. Continue until all manifests have been modified to replace all munkitools packages with their munkitools5 counterparts.

  7. Save your changes.

Labs and Kiosks

For labs, kiosks, shared devices, and other many-to-one Mac deployments without a primary user to assume responsibility for software updates,  Apple has provided an MDM framework in order to automate software updates without user interaction. If you have need of this in your unit environment, please contact the EPS team.

Sample Customer Communication (Intel Hardware)

For your convenience, the following is a sample email for informing your Mac users about the coming changes to Managed Software Center behavior.

The following information is for faculty and staff with IT-managed Macs, and contains important information about upcoming changes to the way software updates are handled.

Some of you have experienced issues with Apple software updates hanging at the login window, necessitating computer restarts and resulting in workflow disruptions. In response to this issue, on [date], we are releasing a new version of Managed Software Center, the application used to keep macOS updated.

Once your Mac has received the Managed Software Center update, you will see the following changes to how software updates are handled:

  • Managed Software Center will no longer attempt to install Apple software updates that require a restart.
  • Instead, Managed Software Center will launch System Preferences - Software Update, which will offer the updates for installation.
    • You must take action to install updates.
    • Updates will not install automatically without action on your part.
  • Depending on the version of macOS you are using, you may see an ‘Upgrade Now’ button. Do not click ‘Upgrade Now’ without first contacting your IT support team. Instead, click the ‘More info’ link, which will show you updates for the version of macOS already installed on your Mac.

Munki Changelog

Subscribe to the Munki changelog if you wish to be notified about upcoming product and service changes affecting Munki and MunkiReport. (The 'Subscribe to changes' button is located just above the page footer.)

Contact the EPS team

Keywords:"managed software center" msc eps mtm "multi tenant" multi-tenant mac macos endpoint techs-eps-mtm munki "munki 5" munki5 munkiv5   Doc ID:102212
Owner:EPS Distribution List .Group:University of Illinois Technology Services
Created:2020-05-19 09:40 CDTUpdated:2022-03-14 09:24 CDT
Sites:University of Illinois Technology Services
Feedback:  10   10