Advanced Munki links

Here are the collected links from today’s “Advanced Munki” presentation at the MACAD conference in London (

Unattended installs:
Force install after date:
Apple Update Metadata:
Conditional items:
Admin-provided conditions:
Pre- and Post-install scripting:
Bootstrapping with Munki:
Configuration Profiles with Munki:
Desktop picture profile template:
On-Demand items: Not much documentation yet! But…
Customizing the GUI: Advanced Munki links

Preference Management with Profiles links

Here are links to some of the tools and resources I mention today in my MacSysAdmin 2015 presentation, Preference Management with Profiles:



Profile Manager (Server 4):

Profile Manager (Server 5):

Configuration Profile reference:

Preference Management with Profiles links

PSU MacAdmins 2015 Packaging Workshop

If you are participating in the Packaging Workshop on July 7th at the Penn State MacAdmins Conference, you may want to download some materials in advance when you aren’t competing with all the other people for limited conference Wi-Fi bandwidth. Note — don’t install these items — just download their installers and keep them handy for the workshop.

Silverlight pkg:

Adobe Reader 11 pkg:

Google Earth pkg:

Firefox dmg:

Google Chrome dmg:


Some optional things:

Suspicious Package:


PSU MacAdmins 2015 Packaging Workshop

Pseudo-“Payload-free” pkgs with pkgbuild

“Payload-free” packages — that is, Apple installer packages that do not have a file payload, but only run scripts, are a nice tool for OS X admins to have. They provide a convenient way to deliver and execute scripts as root. If you have a way to install packages on your managed machines, you can also run scripts as root by wrapping them in a “payload-free” package.

Rich Trouton has written up the basic procedure using the built-in `pkgbuild` tool:

But payload-free packages built this way have a “feature” that can sometimes prove problematic. Flat packages built with pkgbuild using the --nopayload option do not leave receipts in the pkgutil database. This means it can be difficult to determine if a given payload-free package has already been installed on a given machine.

This is especially annoying with Munki: by default, when installing a package, Munki uses the package’s receipt(s) to determine whether or not the package has been installed. Without that receipt, and with no other information, Munki can’t tell if the package has been installed.

Fortunately, it’s trivial to make a pseudo-payload-free package that leaves a receipt. All we need to do is specify an empty payload!

Here’s how we make a “true” payload-free package (that does not leave a receipt):

pkgbuild --nopayload --scripts /path/to/scripts_dir --identifier org.example.payloadfree --version 1.0 MyGreatPayloadFree.pkg

and here’s a “pseudo” payload-free package that does leave a receipt:

mkdir empty
pkgbuild --root empty --scripts /path/to/scripts_dir --identifier org.example.payloadfree --version 1.0 MyGreatPayloadFree.pkg

That’s it! Instead of using the --nopayload option, we create an empty directory and point the --root option at it. The package is built with the empty payload, and when installed, the package leaves a receipt.

Pseudo-“Payload-free” pkgs with pkgbuild

MacTech Conference 2014: What’s New with Munki?

If you are attending my session on Thursday: “What’s new with Munki?” and want to follow along/participate in setting up your own Munki demo, don’t temp the WiFi gods. Download these things in advance:

MacTech Conference 2014: What’s New with Munki?