Endpoint Services, Munki, Managed Software Center

Overview

Managed Software Center is the end-user application for the Munki Endpoint Management system. This application provides IT Pros with a way to notify users that there are software updates to be installed or removed. It also provides visual feedback for update progress. End users may run Managed Software Center manually to check for available updates. Additionally, it serves as an Apple App Store-like source for on-demand/optional software installs and removals.

Systems

Affected Customers

Actions

Installing and Launching Managed Software Center

Managed Software Center is installed automatically when the Munki client software is installed on a computer. Managed Software Center is installed in the Applications folder by default. Users can launch the application from there.

Managed Software Center in Applications Folder

Installing Updates with Managed Software Center

When Managed Software Center launches on a Mac client, it will connect to the Multi-Tenant Munki server, determine what software is available for that computer, and download and display all available updates. The end user can then install the updates by clicking the UPDATE or UPDATE ALL button (depending on how many updates are offered). Users may re-check for available updates by clicking the CHECK AGAIN button.

Managed Software Center will automatically check for available updates in the background (by default once every 1-2 hours) but will not display anything to users unless there are available updates.


Managed Software Center Pending Updates   Managed Software Center - Up To Date

Installing Software via the Self-Service Catalog

Managed Software Center also acts as a self-service software catalog from which users can install additional software on-demand. Users are NOT required to be administrators on their computers to use the software catalog. To access the software catalog, select the Software tab from the Managed Software Center navigation sidebar. Managed Software Center will then display all of the software that has been made available for the computer by the local IT department. Please refer to our article on manifests for more information on which applications are displayed in Managed Software Center. Users also have the ability to search for specific software and they can click a software's name to view additional information about a particular piece of software.

Managed Software Center fix later

Once the end user has identified the software they would like to install, they may click the INSTALL button located next to the software listing to trigger an install.

User Notifications

Beginning with macOS 10.13 (High Sierra), Munki and Managed Software Center have used the macOS Notification Center to notify the end user about available software updates. Modern versions of macOS require that the end user (or an MDM such as Workspace ONE) grant Notification Center access to Managed Software Center. If Notification Center access to Managed Software Center is not approved, the device may fall behind with updates.



Update Encouragement

Managed Software Center provides encouragement and cues intended to guide end users to install updates in a timely fashion. This default behavior may not be disabled.

  • Any updates pending for more than two days will be flagged.
  • If the user attempts to quit Managed Software Center when any update has been pending for more than 14 days, a "Pending updates" reminder is presented, and the "Quit" button is disabled for 5 seconds. Managed Software Center will quit on the second try.

In addition, Munki can step up to "aggressive update notification" mode to further discourage end users from deferring updates. In this mode, if the user attempts to quit Managed Software Center when any update has been pending for more than 14 days:

  • Only the Updates tab is available
  • Access to the Command-Tab task switcher and Dock is removed
  • The ability to click other applications to switch to them is blocked
  • Other applications appear grayed out
  • Force-quit is blocked
  • Several other items in the Apple menu are disabled

Aggressive update notification mode can be configured to shorten or lengthen the default interval of 14 days by using one of the following optional configurations available in the Multi-Tenant Munki service.

  • Munki - 7 Days Before Aggressive Update Notification
  • Munki - 21 Days Before Aggressive Update Notification
  • Munki - 28 Days Before Aggressive Update Notification

Aggressive update notification mode may also be disabled with the following configuration, although Endpoint Services advises against its use in most cases in order to avoid unpatched and vulnerable systems.

  • Munki - No Aggressive Update Notification

Managed Software Center and Apple Updates

Beginning with macOS 10.14, handoffs between Munki and Apple's softwareupdate tool (which Munki uses to install Apple software updates) became problematic, with Munki often failing to trigger Apple software updates at the login window and updates not completing.

In addition, installing Apple software updates on Apple Silicon hardware using Munki is not possible.

As a result, Munki will not attempt to install certain Apple updates on macOS 10.14 (Mojave) and above. Specifically:

  • On Intel hardware, Munki v5 does not install Apple software updates that require a restart. Managed Software Center instead directs users to use System Preferences - Software Update to install these updates. Munki will still install the following:
    • Apple software updates that don't require a restart
    • Non-Apple software updates (e.g. Google Chrome, Microsoft Office, Adobe applications)
    • All software and updates (including those requiring restarts) on macOS 10.13 and below
  • On Apple Silicon hardware, by default, Munki v5 does not check for Apple software updates, and Managed Software Center does not notify users of any available Apple software updates.

Managed Software Center and Apple Updates (Apple Silicon Hardware)

On Apple Silicon hardware, by default, Munki v5 will not check for, notify about, or install any Apple software updates.

Managed Software Center and Apple Updates (Intel Hardware)

In the following screenshot, Managed Software Center offers a typical set of updates, including an Apple update that requires a restart:


Pending Updates


When "Update All" is selected, Munki v5 displays a dialogue directing users to use System Preferences - Software Update to install the Apple update that requires a restart:


Update All

If the user clicks "Skip these updates", the Apple update requiring a restart is removed from the list of updates in Managed Software Center. Clicking "Update All" will install the remaining updates in the usual fashion. At the next Munki update check, any skipped Apple updates will be offered again.

Skip These Updates


However, if the user clicks the "Install Now" button, Munki v5 will launch System Preferences - Software Update.

Install Now

If the user selects the "More info" link, all pending Apple Software updates are displayed with additional information, including an "Install Now" button:


More Info



  • If the user selects "Install Now", the update will proceed; after a restart, Munki will install any remaining updates. Unlike major version upgrades, Apple Software Updates can be performed by standard/non-admin accounts.
  • If the user instead selects "Close" and then quits System Preferences, no updates will be installed, Apple or otherwise, and Munki will re-offer the updates at the next update check.
  • Action is required to initiate the software update. Apple Software Updates will not begin automatically without user action.


Note that the major macOS upgrade offer (in this example, for Big Sur on a Catalina system) is prominent, and might mislead the user into incorrectly selecting "Upgrade Now" instead of correctly selecting the "More info" link. While Apple does provide a mechanism to suppress major OS upgrade offers, this functionality requires MDM enrollment. Standard/non-admin accounts can click the "Upgrade Now" button to download a macOS upgrade installer, but administrator credentials are required to perform the upgrade itself.


Install Now




Contact the EPS team