Endpoint Services, Munki, Munki v5

Vital information about the significant changes introduced in Munki v5 and how they affect end users.

Systems

Munki Mac Endpoint Management

Intended Audience

University of Illinois IT Pros leveraging Technology Services Endpoint Services Munki Mac Endpoint Management systems.

Actions

General Information

Beginning with macOS 10.14, handoffs between Munki and Apple's softwareupdate tool (which Munki uses to install Apple software updates) became problematic, with Munki often failing to trigger Apple software updates at the login window and updates not completing.

In addition, with macOS 11 on Apple Silicon/M1 hardware, installing Apple software updates via Munki is no longer possible due to changes Apple has made.

Munki release v5 addresses this issue by not attempting to install certain Apple updates on macOS 10.14 (Mojave) and above. Specifically:

Managed Software Center and Apple Updates (Apple Silicon/M1 Hardware)

On Apple Silicon/M1 hardware, Munki v5 will not check for, notify about, or install ANY Apple software updates.

Managed Software Center and Apple Updates (Intel Hardware)

In the following screenshot, Managed Software Center offers a typical set of updates, including an Apple update that requires a restart:


Pending Updates


When "Update All" is selected, Munki v5 displays a dialogue directing users to use System Preferences - Software Update to install the Apple update that requires a restart:


Update All

If the user clicks "Skip these updates", the Apple update requiring a restart is removed from the list of updates in Managed Software Center. Clicking "Update All" will install the remaining updates in the usual fashion. At the next Munki update check, any skipped Apple updates will be offered again.

Skip These Updates


However, if the user clicks the "Install Now" button, Munki v5 will launch System Preferences - Software Update.

Install Now

If the user selects the "More info" link, all pending Apple Software updates are displayed with additional information, including an "Install Now" button:


More Info




Note that the major macOS upgrade offer (in this example, for Big Sur on a Catalina system) is prominent, and might mislead the user into incorrectly selecting "Upgrade Now" instead of correctly selecting the "More info" link. While Apple does provide a mechanism to suppress major OS upgrade offers, this functionality requires MDM enrollment. Standard/non-admin accounts can click the "Upgrade Now" button to download a macOS upgrade installer, but administrator credentials are required to perform the upgrade itself.


Install Now



Additional Update Encouragement

With Munki v5, Managed Software Center will provide additional encouragement and cues intended to guide end users to install updates in a timely fashion. 


Aggressive Update Notification Mode

Munki v5 also introduces "aggressive update notification" mode to further discourage update deferral. In addition to the new update encouragement behavior, if the user attempts to quit Managed Software Center when any update (Apple or otherwise) has been pending for more than 14 days:

Aggressive update notification mode can be configured to shorten or lengthen the default interval of 14 days by using one of the following optional configurations.

Aggressive update notification mode may also be disabled with the following configuration, although Endpoint Services advises against its use in most cases in order to avoid unpatched and vulnerable systems.


Apple Forced Updates Deprecation

Because the force_install_after_date key will no longer work for Apple metadata packages on macOS 10.14 and up under Munki v5, Endpoint Services has deprecated the global_free_appleforcedupdates catalog. Please delete this catalog from your manifest templates so that it will not be included in any newly-onboarded clients.


Deploying Munki v5

Note: Before deploying Munki v5 in your environment, ensure that Macs are not configured to block non-admins from installing Apple software updates.

If you do not, your end users may have no way to install many Apple updates.

For assistance removing existing configurations, please contact the EPS team.

When you are ready to upgrade your Macs to Munki v5, modify your unit manifests to replace munkitools and all munkitools_x packages with munkitools5.

  1. Open your repo in MunkiAdmin and select the Manifests tab, either from the toolbar or by typing Command-3.
  2. Click the Search button and configure a search for "Any installs item" "contains" "munkitools".
    MunkiAdmin Manifest Search
  3. From the search results, open each manifest and go to the Managed Installs section.
    MunkiAdmin base default manifest
  4. Click the plus button and enter munkitools5 in the search field; the search should return all munkitools5_xyz packages. Select and add all six packages shown below.
    munkitools5 search
  5. Back in the list of Managed Installs, click to select munkitools and all munkitools_xyz packages -- e.g. munkitools_core, munkitools_launchd, etc... and click the minus button to delete them.

  6. Continue until all manifests have been modified to replace all munkitools packages with their munkitools5 counterparts.


  7. Save your changes.


Staying on Munki v4

For the time being, Endpoint Services will continue to make Munki v4 available under the same name key. Units needing extra time to prepare for v5 do not need to take any action in order to stay on v4. However, all units will eventually need to transition to v5.

Note that Big Sur requires Munki v5.


Labs and Kiosks

Apple currently provides no native mechanism for automating software updates without user interaction. The Endpoint Services team has a workaround for labs, kiosks, and other scenarios where asking end users to install updates is not feasible. If you have need of this solution in your environment, please contact the EPS team.


Sample Customer Communication (Intel Hardware)

For your convenience, the following is a sample email for informing your Mac users about the coming changes to Managed Software Center behavior.


The following information is for faculty and staff with IT-managed Macs, and contains important information about upcoming changes to the way software updates are handled.

Some of you have experienced issues with Apple software updates hanging at the login window, necessitating computer restarts and resulting in workflow disruptions. In response to this issue, on [date], we are releasing a new version of Managed Software Center, the application used to keep macOS updated.

Once your Mac has received the Managed Software Center update, you will see the following changes to how software updates are handled:


Munki Changelog

Subscribe to the Munki changelog if you wish to be notified about upcoming product and service changes affecting Munki and MunkiReport. (The 'Subscribe to changes' button is located just above the page footer.)



Contact the EPS team