-
Revision of PrinterGenerator for Munki
Back in 2015, Nick McSpadden created (now-archived) PrinterGenerator, which ran a Python 2 script to create a bunch of Munki nopkgs to install printers using the lpadmin command. Eventually, because Nick wasn’t using the script and because macOS no longer came with Python, Nick retired the project. I’m also not using it, either, but on…
-
Scripting disabling auto-join for Wi-Fi networks
What about a Wi-Fi profile? You may be thinking, “Why would I want to script disabling Wi-Fi auto-join, when I can just set it with a profile?” After all, in Apple’s MDM documentation, it seems that you can just do so, right? AutoJoin boolean If true, the device joins the network automatically. If false, the…
-
Using the field encryption key to decrypt secrets in Crypt Server
Why do this? Well, you shouldn’t really ever need to do this. The beauty of Crypt Server is that you run the docker container with the field encryption key, and Django automatically does all the encrypting and decrypting for you. You shouldn’t need to look manually at the keys stored in the database. But, in…
-
Upgrading from Munki 6 to Munki 7—don’t be scared!
Introduction Munki 7 (Swift) is a fairly major rewrite from Munki 6 (Python), but the core functionality is still the same (with some minor differences, including some improvements). First of all, even though I’ll go over some key 6-to-7 transition points here, I’d highly recommend you read the Munki 7 introduction page on the Munki…
-
security import gets “wrong password” but dragging to Keychain Access doesn’t
I’m hoping this is something Apple will fix in the future (thus making this blog post obsolete), but in the meantime, if you see the behavior described, there is a workaround: Problem /usr/bin/security import /PATH/TO/CERT.p12 -k /Library/Keychains/System.keychain -P ACTUALPASSWORD results in an error of security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?) but…
-
macOS 15.6 (rightly) breaks Nessus’s link to hidden installer .pkg
I hope by the time you read this, Nessus will have fixed its installer, and this will be a non-issue. As of this writing, though, Nessus (Agent 10.9) currently delivers an “installer” that’s just a hard link to a hidden real installer. The visible “installer” (Install Nessus Agent.pkg) is less than 100 KB in size…
-
Showing the Okta Verify window at login only to users not signed in
What’s the problem? I wanted a way to have Okta Verify launch at login but with the window for the app appearing only to users who aren’t signed into Okta Verify. Launch Okta Verify at login There is some guidance on how to set up Okta Verify to launch at login. For that, Okta recommends…
-
Do you need to clean up the SelfServeManifest for your Munki clients?
What might be the issue? Every now and then, on the #munki channel of the MacAdmins Slack, someone will ask about deleting or updating an entry in the SelfServeManifest. The /Library/Managed Installs/manifests/SelfServeManifest file is where Munki keeps track of what optional installs items users choose to install via Managed Software Center. Once a user selects…
-
Getting manifest comments to persist after saving with MunkiAdmin
Problem Munki manifests are essentially XML, so you can write comments in the manifests to explain why you might have put something in (say, serial numbers in conditions). If you, however, edit and save a manifest using MunkiAdmin, MunkiAdmin doesn’t know about those comments, because they aren’t actual XML keys and values, so the comments…
-
Considerations when migrating from Google Santa to North Pole Santa
Mountain View to North Pole As of February, 2025, the Google version of Santa has been retired, but there’s a new North Pole version of Santa available. While the migration guide outlines a fairly straightforward process, there are some nuances to consider. Even though I highly recommend reading the actual migration guide, the tl;dr version…
-
Using “new” launchctl subcommands to check for and reload launch daemons
Note This is a follow-up post to launchctl “new” subcommand basics for macOS Legacy Subcommands With the legacy subcommands for launchctl, you could check if a launch daemon was running by getting the output of sudo launchctl list | grep LAUNCHDAEMONLABEL And then you could just launch it up by running: sudo launchctl load -w…
-
A Jamf extension attribute to check the health of the last Munki run
If you use both Jamf and Munki (and specifically use Jamf to deploy Munki or reinstall Munki), you may want to have a Jamf extension attribute to see the health of the last Munki run. Munki has a file at /Library/Managed Installs/ManagedInstallReport.plist, which stores details about the last run. Here’s an example of what an…
-
Minimal bootstrapping with Munki
If you are using Munki to manage your Mac fleet’s software installs, you may want to leverage bootstrapping, wherein Munki, at the login window, keeps installing items, rebooting as necessary, installing more items, and rebooting more if necessary… until all the items are installed. If your infrastructure for this is sophisticated, you may already be…
-
Surprise! Deleting macOS’s /tmp directory can break things…
System Integrity Protection Macs have something called System Integrity Protection (also known as SIP), which means certain critical directories and files can’t be deleted, even as root. Even the /Applications/Chess.app can’t be deleted because of SIP. ls -ldO /System/Applications/Chess.app drwxr-xr-x 3 root wheel restricted 96 Sep 30 21:10 /System/Applications/Chess.app See that restricted in there? It…