Setting up Reposado without downloading Apple update pkgs

Reposado allows you to set up your own local repo of Apple software updates. This can be handy if you want to control the flow of updates (having a testing branch, for example, and then promoting items from testing to production).

With Apple deprecating custom catalog URLs in Catalina (they still work for now, though), you may not want to actually create a full Reposado repo. Maybe you just want a way to check for product keys without replicating the entire repo, including pkgs.

It’s fairly simple to do this:

git clone
sudo mkdir -p /usr/local/reposado
sudo cp -R reposado/code/* /usr/local/reposado/
sudo mkdir -p /Library/Application\ Support/reposado/html
sudo mkdir -p /Library/Application\ Support/reposado/metadata

This is the key part, when you go to configure Reposado, you want the Base URL to be blank:

sudo /usr/local/reposado/repoutil --configure
Filesystem path to store replicated catalogs and updates [/Library/Application\ Support/reposado/html]: /Library/Application Support/reposado/html

Filesystem path to store Reposado metadata [/Library/Application\ Support/reposado/metadata]: /Library/Application Support/reposado/metadata

Base URL for your local Software Update Service
(Example: -- leave empty if you are not replicating updates) []:

Then, you can run

sudo /usr/local/reposado/repo_sync

and the total download should be only about 150 MB (as opposed to hundreds of GB if you were to download all the pkgs as well).

Munki hack: force uninstall after a certain date

Munki has an option to force install by a certain date (specifically, using the force_install_after_date key), but it doesn’t do a force uninstall after a certain date.

You can make an item a managed uninstall, which means Munki will uninstall it when possible, but if that requires a logout or reboot, you don’t know when that might happen.

So to force an uninstall after a certain date, there’s a messy hack you can employ, which is to create an uninstall nopkg.

So, for example, if you want to force remove item X, you would have, of course, an item X in your repo, but you would then create a nopkg item for uninstall-X, which, when “installed” would uninstall X.

Now, this can be a bit tricky, because Munki has built-in logic for how it does its installs. For example, let’s say item X had a relationship with item Y, where item Y is an update for X. If you use Munki’s built-in installation logic to make item X a managed uninstall, Munki would know to remove item Y as well. But if you create a separate nopkg that just runs some script to remove item X, the nopkg doesn’t also necessarily know item Y is an update for item X.

Likewise, if you have item X as a managed install as well, you could have Munki fighting with itself, since it will try to install item X but also (via your hacky nopkg) install item uninstall-X. (In ordinary circumstances, make an item both a managed install and a managed uninstall would usually have Munki just keep it installed.)

But if you are careful with how you construct things, this can definitely work. I wouldn’t recommend it (better to just let managed uninstalls do its job), but if you absolutely need to remove a certain piece of software by a certain date, this can do it.

Another potential hack is to have item Z force install by that same date, and then make item X a regular managed uninstall, and when users are forced to install item Z, item X will uninstall at the same time.

Using Munki to ignore Catalina upgrade in macOS

Apple used to make you go out of your way to download an OS upgrade. Then, Apple started having those OS upgrade installers auto-download to the /Applications folder. Then Apple made it so OS upgrades appeared as regular updates.

For Mac admins who aren’t ready to have their clients upgrade to Catalina (and potentially have a lot of things break), there is a way to tell the client machine to ignore the update and thus not advertise it to the user.

For those who are Munki admins, I’ve created a nopkg that will allow you to “install” ignoring the Catalina upgrade (but you can easily tweak the script to ignore any update) and also “uninstall” ignoring the Catalina upgrade (or any update).

Scripting changing the user picture in macOS

Sometimes, you may want to programmatically set a default user picture (with the option for the user to change it later to a picture of her own choice).

You used to be able to delete the JPEGPhoto attribute and just add in a Picture attribute, but that seems to have broken somewhere between October 2018 and September 2019.

In macOS 10.14.6, if you use dscl to delete the JPEGPhoto attribute, and then add in a Picture attribute, you’ll see one of the user pictures change, but the other one will default to the generic silhouette:

Unfortunately, you also can’t just script writing in the hex of the photo via a dscl . -create /Users/username JPEGPhoto ALLOFTHEHEXTEXT command. You will get a /usr/bin/dscl: Argument list too long error.

Someone on Stack Exchange managed to find a solution using dsimport.

Note: I did some further testing, and you may need to first run

sudo dscl . delete /Users/username JPEGPhoto
sudo dscl . delete /Users/username Picture

before successfully running the script linked to below.

If you run that script, you’ll see it changes both photos.

This script works for now in 10.14.6, and it also works in Catalina beta build 19A578c.