Endpoint Services, Munki, Managed Software Center
Overview
Managed Software Center is the end-user application for the Munki Endpoint Management system. This application provides IT Pros with a way to notify users that there are software updates to be installed or removed. It also provides visual feedback for update progress. End users may run Managed Software Center manually to check for available updates. Additionally, it serves as an Apple App Store-like source for on-demand/optional software installs and removals.
Systems
- Computers running macOS 10.11 or higher and utilizing the Munki Mac Endpoint Management system
Affected Customers
- University of Illinois users and IT Pros leveraging Technology Services Endpoint Services' Munki Mac Endpoint Management
Actions
- Installing and Launching Managed Software Center
- Installing Updates with Managed Software Center
- Installing Software via the Self-Service Catalog
- User Notifications
- Update Encouragement and Aggressive Notification Mode
- Managed Software Center and Apple Updates
Installing and Launching Managed Software Center
Managed Software Center is installed automatically when the Munki client software is installed on a computer. Managed Software Center is installed in the Applications folder by default. Users can launch the application from there.
Installing Updates with Managed Software Center
When Managed Software Center launches on a Mac client, it will connect to the Multi-Tenant Munki server, determine what software is available for that computer, and download and display all available updates. The end user can then install the updates by clicking the UPDATE or UPDATE ALL button (depending on how many updates are offered). Users may re-check for available updates by clicking the CHECK AGAIN button.
Managed Software Center will automatically check for available updates in the background (by default once every 1-2 hours) but will not display anything to users unless there are available updates.
Installing Software via the Self-Service Catalog
Managed Software Center also acts as a self-service software catalog from which users can install additional software on-demand. Users are NOT required to be administrators on their computers to use the software catalog. To access the software catalog, select the Software tab from the Managed Software Center navigation sidebar. Managed Software Center will then display all of the software that has been made available for the computer by the local IT department. Please refer to our article on manifests for more information on which applications are displayed in Managed Software Center. Users also have the ability to search for specific software and they can click a software's name to view additional information about a particular piece of software.
Once the end user has identified the software they would like to install, they may click the INSTALL button located next to the software listing to trigger an install.
User Notifications
Beginning with macOS 10.13 (High Sierra), Munki and Managed Software Center have used the macOS Notification Center to notify the end user about available software updates. Modern versions of macOS require that the end user (or an MDM such as Workspace ONE) grant Notification Center access to Managed Software Center. If Notification Center access to Managed Software Center is not approved, the device may fall behind with updates.
Update Encouragement
Managed Software Center provides encouragement and cues intended to guide end users to install updates in a timely fashion. This default behavior may not be disabled.
- Any updates pending for more than two days will be flagged.
- If the user attempts to quit Managed Software Center when any update has been pending for more than 14 days, a "Pending updates" reminder is presented, and the "Quit" button is disabled for 5 seconds. Managed Software Center will quit on the second try.
In addition, Munki can step up to "aggressive update notification" mode to further discourage end users from deferring updates. In this mode, if the user attempts to quit Managed Software Center when any update has been pending for more than 14 days:
- Only the Updates tab is available
- Access to the Command-Tab task switcher and Dock is removed
- The ability to click other applications to switch to them is blocked
- Other applications appear grayed out
- Force-quit is blocked
- Several other items in the Apple menu are disabled
Aggressive update notification mode can be configured to shorten or lengthen the default interval of 14 days by using one of the following optional configurations available in the Multi-Tenant Munki service.
- Munki - 7 Days Before Aggressive Update Notification
- Munki - 21 Days Before Aggressive Update Notification
- Munki - 28 Days Before Aggressive Update Notification
Aggressive update notification mode may also be disabled with the following configuration, although Endpoint Services advises against its use in most cases in order to avoid unpatched and vulnerable systems.
- Munki - No Aggressive Update Notification
Managed Software Center and Apple Updates
Previously, Macs onboarded to Multi-Tenant Munki (MTM) were configured so that Munki checked for available Apple software updates, listed them in the Managed Software Center updates pane, and either installed them (on Intel hardware where no restart was required) or (in all other cases) redirected the logged-in user to System Settings - Software Update to install the updates.
In June 2023, Endpoint Services modified the default MTM behavior so that newly onboarded (or re-onboarded) Macs will NOT check for Apple software updates during Munki runs. None will be listed in Managed Software Center (MSC), and MSC will not direct the end user to System Settings - Software Update. Instead, end users must rely on notifications from System Settings - Software Update to stay on top of Apple software updates.
This change only affects newly-onboarded or re-onboarded clients. So that both new and existing Macs are configured identically, Munki admins may choose to add the following title to unit manifests: munkitools_config_do_not_installapplesoftwareupdates.
The following information applies whenever Munki is still configured to check for Apple Software Updates:
Managed Software Center and Apple Updates (Apple Silicon Hardware)
On Apple Silicon hardware, Munki will not attempt to install any Apple software updates.
Managed Software Center and Apple Updates (Intel Hardware)
In the following screenshot, Managed Software Center offers a typical set of updates, including an Apple update that requires a restart:
When "Update All" is selected, Munki displays a dialogue directing users to use System Preferences - Software Update to install the Apple update that requires a restart:
If the user clicks "Skip these updates", the Apple update requiring a restart is removed from the list of updates in Managed Software Center. Clicking "Update All" will install the remaining updates in the usual fashion. At the next Munki update check, any skipped Apple updates will be offered again.
However, if the user clicks the "Install Now" button, Munki will launch System Preferences - Software Update.
If the user selects the "More info" link, all pending Apple Software updates are displayed with additional information, including an "Install Now" button:
- If the user selects "Install Now", the update will proceed; after a restart, Munki will install any remaining updates. Unlike major version upgrades, Apple Software Updates can be performed by standard/non-admin accounts.
- If the user instead selects "Close" and then quits System Preferences, no updates will be installed, Apple or otherwise, and Munki will re-offer the updates at the next update check.
- Action is required to initiate the software update. Apple Software Updates will not begin automatically without user action.
Note that the major macOS upgrade offer (in this example, for Big Sur on a Catalina system) is prominent, and might mislead the user into incorrectly selecting "Upgrade Now" instead of correctly selecting the "More info" link. While Apple does provide a mechanism to suppress major OS upgrade offers, this functionality requires MDM enrollment. Standard/non-admin accounts can click the "Upgrade Now" button to download a macOS upgrade installer, but administrator credentials are required to perform the upgrade itself.