Endpoint Services, How can I use both Workspace ONE and Munki to manage my Macs?
Information on macOS endpoint management using a combination of Workspace ONE and Munki.
Munki Mac Endpoint Management
Workspace ONE Unified Endpoint Management (UEM)
University of Illinois IT Pros leveraging Technology Services Endpoint Service Munki Mac Endpoint Management and Workspace ONE UEM
- General Information
- What Workspace ONE can do
- What Munki can do
- Using Workspace ONE and Munki together to manage your Macs
Munki and Workspace ONE (formerly known as AirWatch) complement one another and together provide a full suite of macOS endpoint management tools. NOTE: Neither Munki nor Workspace ONE provides traditional OS imaging, which Apple no longer supports. However, Munki does support in-place OS upgrades as well as an erase-and-install workflow for devices on macOS 10.13.4 and up.
Workspace ONE is VMWare's unified endpoint management (UEM) solution with support for multiple platforms including macOS. It provides:
- Automatic enrollment of Apple DEP-provisioned devices
- Management of secure kernel extension loading (SKEL)
- Enforcement of device-specific security profiles
- Remote management and configuration profiles
- Apple App Store application deployment and license management
- Compliance with Apple's stated reliance on unified endpoint management (UEM) or mobile device management (MDM) for macOS management
Munki is a macOS endpoint management service based on the open-source Munki project. It allows IT Pros to automate the installation and removal of applications (many of which are already packaged by the Endpoint Services team) as well as some support for certain configuration types. Munki is intended for macOS only; no other operating systems are supported. It provides:
- macOS upgrades (either in-place or erase-and-install workflows)
- Apple software updates
- Adobe products
- Microsoft products, including Office
- WebStore applications
- Many pre-packaged common or free applications (view list of available titles)
With each successive macOS release, Apple has introduced an increasing number of configuration changes that can only be implemented via a UEM or MDM solution like Workspace ONE, but not via traditional methods such as scripts, Apple Remote Desktop management, or even Munki. An ideal macOS deployment workflow therefore utilizes both Workspace ONE and Munki in the following way:
- DEP-provisioned devices are enrolled into Workspace ONE at initial boot.
- Older, non-DEP devices can be enrolled into Workspace ONE via Munki, or by manually installing an enrollment profile.
- Workspace ONE completes a specified set of desired staging tasks, including:
- Local account creation for DEP devices
- AD binding
- Configuring security settings
- Apple App Store software installation (or adoption for pre-installed apps) and updates
- Installation of Multi-Tenant-Munki tools and configuration
- Munki runs and installs "non-Apple App Store applications", updates (including Apple Software Updates), and configurations