Endpoint Services, Munki, Munki v5

Vital information about the significant changes introduced in Munki v5 and how they affect end users.

Systems

Munki Mac Endpoint Management

Intended Audience

University of Illinois IT Pros leveraging Technology Services Endpoint Services Munki Mac Endpoint Management systems.

Actions

General Information

Beginning with macOS 10.14, handoffs between Munki and Apple's softwareupdate tool (which Munki uses to install Apple software updates) have become problematic, with Munki often failing to trigger Apple software updates at the login window and updates not completing.

Munki release v5 (scheduled for production release after 4pm Wednesday, September 16, 2020) addresses this issue by not attempting to install certain Apple updates on macOS 10.14 (Mojave) and above. Specifically, Munki v5 will not install Apple software updates that require a restart. Managed Software Center will instead direct users to use System Preferences - Software Update to install these updates.

Munki v5 will continue to install the following:

  • Apple software updates that don't require a restart
  • Non-Apple software updates (e.g. Google Chrome, Microsoft Office, Adobe applications, etc...)
  • All software and updates (including those requiring restarts) on macOS 10.13 and below

Managed Software Center and Apple Updates

In the following screenshot, Managed Software Center offers a typical set of updates, including an Apple update that requires a restart:


Pending Updates


When "Update All" is selected, Munki v5's new behavior displays a dialogue directing users to use System Preferences - Software Update to install the Apple update that requires a restart:


Update All

If the user clicks "Skip these updates", the Apple update requiring a restart is removed from the list of updates in Managed Software Center. Clicking "Update All" will install the remaining updates in the usual fashion. At the next Munki update check, any skipped Apple updates will be offered again.

Skip These Updates


However, if the user clicks the "Install Now" button, Munki v5 will launch System Preferences - Software Update, with an "Update Now" button and a "More info" hyperlink.

If the user selects the "More info" link, all pending Apple Software updates are displayed with additional information:


More Info



  • If the user selects "Install Now", the update will proceed; after a restart, Munki will install any remaining updates. Unlike major version upgrades, Apple Software Updates can be performed by standard/non-admin accounts.
  • If the user instead selects "Close" and then quits System Preferences, no updates will be installed, Apple or otherwise, and Munki will re-offer the updates at the next update check.
  • Action is required to initiate the software update. Apple Software Updates will not begin automatically without user action.


Note that the macOS Catalina offer in the example below (on a 10.14 system) is prominent, and might mislead the user into incorrectly selecting "Upgrade Now" instead of correctly selecting the "More info" link under "Other updates are available". While Apple formerly provided a mechanism to suppress major OS upgrade offers, this functionality has now been deprecated. Standard/non-admin accounts can click the "Upgrade Now" button to download a macOS upgrade installer, but administrator credentials are required to perform the upgrade itself.


Install Now



Additional Update Encouragement

With Munki v5, Managed Software Center will provide additional encouragement and cues intended to guide end users to install updates in a timely fashion. 

  • Any updates (Apple or otherwise) pending for more than two days will be labeled:

More Than 2 Days

  • If the user attempts to quit Managed Software Center when any update (Apple or otherwise) has been pending for more than 14 days, a "Pending updates" reminder is presented, and the "Quit" button is disabled for 5 seconds. Managed Software Center will quit on the second request.
  • Munki v5's update encouragement behavior cannot be disabled.


Aggressive Update Notification Mode

Munki v5 also introduces "aggressive update notification" mode to further discourage update deferral. In addition to the new update encouragement behavior, if the user attempts to quit Managed Software Center when any update (Apple or otherwise) has been pending for more than 14 days:

  • Only the Updates tab is available
  • Access to the Command-Tab task switcher and Dock is removed
  • The ability to click other applications to switch to them is blocked
  • Other applications appear grayed out
  • Force-quit is blocked
  • Several other items in the Apple menu are disabled

Aggressive update notification mode can be configured to shorten or lengthen the default interval of 14 days by using one of the following optional configurations.

  • Munki - 7 Days Before Aggressive Update Notification
  • Munki - 21 Days Before Aggressive Update Notification
  • Munki - 28 Days Before Aggressive Update Notification
Aggressive update notification mode may also be disabled with the following configuration, although Endpoint Services advises against its use in most cases in order to avoid unpatched and vulnerable systems.
  • Munki - No Aggressive Update Notification


Apple Forced Updates Deprecation

Because the force_install_after_date key will no longer work for Apple metadata packages on macOS 10.14 and up under Munki v5, Endpoint Services has deprecated the global_free_appleforcedupdates catalog. Please delete this catalog from your manifest templates so that it will not be included in any newly-onboarded clients.


Deploying Munki v5

Note: Before deploying Munki v5 in your environment, ensure that Macs are not configured to block non-admins from installing Apple software updates.

If you do not, your end users may have no way to install many Apple updates.

For assistance removing existing configurations, please contact the EPS team.

When you are ready to upgrade your Macs to Munki v5, modify your unit manifests to replace munkitools and all munkitools_x packages with munkitools5.

  1. Open your repo in MunkiAdmin and select the Manifests tab, either from the toolbar or by typing Command-3.
  2. Click the Search button and configure a search for "Any installs item" "contains" "munkitools".
  3. From the search results, open each manifest and go to the Managed Installs section.
  4. Click the plus button and use the search field to add munkitools5; you don't need to add all of the munkitools5_xyz packages (munkitools5_core, munkitools5_launchd, etc...) because they'll automatically be installed with munkitools5.
  5. Back in the list of Managed Installs, click to select munkitools and all munkitools_xyz packages -- e.g. munkitools_core, munkitools_launchd, etc... and click the minus button to delete them.
  6. Continue until all manifests have been modified to add munkitools5 and remove munkitools and munkitools_xyz.

  7. Save your changes.


Staying on Munki v4

For the time being, Endpoint Services will continue to make Munki v4 available under the same name key. Units needing extra time to prepare for v5 do not need to take any action in order to stay on v4. However, all units will eventually need to transition to v5.


Labs and Kiosks

Apple currently provides no native mechanism for automating software updates without user interaction. The Endpoint Services team has a workaround for labs, kiosks, and other scenarios where asking end users to install updates is not feasible. If you have need of this solution in your environment, please contact the EPS team.


Sample Customer Communication

For your convenience, the following is a sample email for informing your Mac users about the coming changes to Managed Software Center behavior.


The following information is for faculty and staff with IT-managed Macs, and contains important information about upcoming changes to the way software updates are handled.

Some of you have experienced issues with Apple software updates hanging at the login window, necessitating computer restarts and resulting in workflow disruptions. In response to this issue, on [date], we are releasing a new version of Managed Software Center, the application used to keep macOS updated.

Once your Mac has received the Managed Software Center update, you will see the following changes to how software updates are handled:

  • Managed Software Center will no longer attempt to install Apple software updates that require a restart.
  • Instead, Managed Software Center will launch System Preferences - Software Update, which will offer the updates for installation.
    • You must take action to install updates.
    • Updates will not install automatically without action on your part.
  • Depending on the version of macOS you are using, you may see an ‘Upgrade Now’ button. Do not click ‘Upgrade Now’ without first contacting your IT support team. Instead, click the ‘More info’ link, which will show you updates for the version of macOS already installed on your Mac.


Munki Changelog

Subscribe to the Munki changelog if you wish to be notified about upcoming product and service changes affecting Munki and MunkiReport. (The 'Subscribe to changes' button is located just above the page footer.)



Contact the EPS team




Keywords:"managed software center" msc eps mtm "multi tenant" multi-tenant mac macos endpoint techs-eps-mtm munki "munki 5" munki5 munkiv5   Doc ID:102212
Owner:EPS Distribution List .Group:University of Illinois Technology Services
Created:2020-05-19 09:40 CDTUpdated:2020-09-15 09:55 CDT
Sites:University of Illinois Technology Services
Feedback:  0   0