Using Munki to revert or downgrade software

Introduction

It might come as little surprise to find out that I use Munki in my organization to manage software installations on macOS.

Munki is really good at keeping software up-to-date. Every time it runs, it compares the versions it has on the server against the versions installed on the local machine and updates any software at a lower version than it has on the server.

Its default behavior when an item on the local machine has a higher version than that on the server is to leave it alone. This is great when you have users that for whatever reason need to test newer versions (or perhaps they are actually developing the newer version of the software).

I also use AutoPkg to automate finding new software updates and to import them into my Munki repo. For us, AutoPkg checks on approximately 50 items each day, importing anything new into my Munki repo into a testing catalog.

On Tuesday of this week, Mozilla released Firefox 59. AutoPkg found the new release and imported it into Munki as expected. On Wednesday, I noticed that AutoPkg had imported Firefox 60! I looked at the installed application, and its version was actually 60.0b3. Someone at Mozilla had goofed and pointed the “latest firefox release” link at the 60 beta. Later in the day this goof was remedied and the link once again returned Firefox 59.

But my AutoPkg run had occurred while the Mozilla site was offering 60.0b3, and so it was downloaded and added to my Munki’s repo’s testing catalog. 25 Macs in my organization (including my own laptop) now had Firefox 60.0b3 installed.

(Side note: because of the way Munki does version comparisons, when the final release of Firefox 60 comes out, if it is versioned as “60.0”,  Munki would not “upgrade” from 60.0b3 to 60.0 – “60.0b3” compares as higher than “60.0”.)

I wanted to configure Munki to downgrade any install of Firefox 60.0b3 to Firefox 59. Since by default Munki leaves higher versions alone, this is not exactly obvious how to do.

Continue reading “Using Munki to revert or downgrade software” →

MacAD.uk 2018 Conference Links

Here are some links from my presentation at Mac Admins and Developers UK 2018, “Imaging is Dead: Now What?”

Der Flounder, “Imaging will be dead soonish”: https://derflounder.wordpress.com/2017/01/10/imaging-will-be-dead-soon-ish/

AutoDMG: https://github.com/MagerValp/AutoDMG

Imagr: https://github.com/grahamgilbert/imagr

DeployStudio: http://www.deploystudio.com

Apple, “Upgrade macOS on a Mac at your institution”: https://support.apple.com/en-us/HT208020

Apple, “APFS and Imaging”: https://help.apple.com/deployment/macos/#/apd545ec8b69

Restoring an iMac Pro with Configurator: https://help.apple.com/configurator/mac/2.6/index.html?localePath=en.lproj#/apdebea5be51

createbootvolfromautonbi.py: https://github.com/munki/macadmin-scripts/blob/master/createbootvolfromautonbi.py

Bootstrappr: https://github.com/munki/bootstrappr

Erik Gomez, Custom DEP series: http://blog.eriknicolasgomez.com/2017/03/08/Custom-DEP-Part-1-An-Introduction/
http://blog.eriknicolasgomez.com/2017/03/08/Custom-DEP-Part-2-Creating-a-custom-package-and-deploying-Munki/
http://blog.eriknicolasgomez.com/2017/03/08/Custom-DEP-Part-3-Best-Practices/
http://blog.eriknicolasgomez.com/2017/03/08/Custom-DEP-Part-4-The-Future/
http://blog.eriknicolasgomez.com/2017/04/05/Custom-DEP-Part-5-Dynamic-InstallApplication/
http://blog.eriknicolasgomez.com/2017/04/27/Custom-DEP-Part-6-Vendor-Announcement-and-Presentation/
http://blog.eriknicolasgomez.com/2017/07/27/Custom-DEP-Part-7-Getting-started-with-AirWatch-9.1.3/

Victor Vranchan, Munkiing around with DEP: https://groob.io/posts/dep-micromdm-munki/

Post-credits scene (installinstallmacos.py): https://github.com/munki/macadmin-scripts/blob/master/installinstallmacos.py

Early notes on deploying images to iMac Pro

Overview

Here are some early notes on making and restoring a High Sierra deployment image to an iMac Pro.

“Wait, I thought imaging was dead! Especially imaging the iMac Pro with Secure Boot!” you may be thinking. My reply: “We’ll see, won’t we?” It’s early days here: we’re experimenting. Our experiments might lead to dead ends, or they might lead to useful results.

Continue reading “Early notes on deploying images to iMac Pro” →

Bootstrappr

A little while ago, I made a new Mac deployment tool available:

https://github.com/munki/bootstrappr

Bootstrappr is really nothing more than a Bash script that installs any packages it finds in an adjacent packages directory. There’s no GUI, no bells and whistles.

What is it for? Why would you use it?

You’d use it for installation-based deployment workflows on iMac Pro (and potentially any Mac).

Continue reading “Bootstrappr” →

MacSysAdmin 2016 Links

Here are links to various tools, documentation and blog posts I mention in my talk on Thursday at MacSysAdmin 2016:

Outset: https://github.com/chilcote/outset
Apple documentation on running code at login: https://developer.apple.com/library/content/technotes/tn2228/_index.html
LoginScriptPlugin: https://github.com/MagerValp/LoginScriptPlugin
PyMacAdmin/crankd: https://github.com/MacSysadmin/pymacadmin
Graham Gilbert’s crankd post: https://grahamgilbert.com/blog/2013/07/12/using-crankd-to-react-to-network-events/
Google macops’ ApplicationUsage.py: https://github.com/google/macops/tree/master/crankd

Stupid Tricks with createOSXinstallPkg and VMware Fusion

Like many people tasked with managing OS X/macOS machines, I use VMware Fusion to do a lot of testing. Fusion enables me to test in various versions of OS X, and to easily make changes and revert to a prior state. It’s a great tool.

For some of the testing I do, it’s important to be able to quickly and easily build a VM that is configured just like the “real” machines I manage. There are a few way to do that. Since we build our machines by booting into a NetBoot image and using Graham Gilbert’s excellent Imagr (https://github.com/grahamgilbert/imagr) to restore an image, it’s great that we can also boot Fusion VMs from a NetBoot image.

Continue reading “Stupid Tricks with createOSXinstallPkg and VMware Fusion” →

MacTech Conference 2016

I’ll be speaking at MacTech Conference 2016, November 16-18 in Los Angeles: http://conference.mactech.com

You can save $600 on the registration costs if you register by May 31: http://conference.mactech.com/pricing/

MacSysAdmin 2016

Information and registration for MacSysAdmin 2016 is available:

http://macsysadmin.se/2016/Home.html

October 4-7, 2016 in Gothenburg, Sweden, MacSysAdmin continues to be a fantastic event for the Mac admin community. I highly recommend it!

Using autopkg for “general purpose” packaging

A few days ago I made a simple tool for building packages available: munkipkg.

https://github.com/munki/munki-pkg

I got many comments and suggestions for additional features and all sorts of cool additions. Some have even been added to the tool already. But I would like to keep munkipkg a pretty simple, basic tool.

The Luggage (https://github.com/unixorn/luggage) has been around for a while; if munkipkg is too simple for your needs, please have look at that.

I also suggested to several people that if they had more complex needs than munkipkg could handle, it might make more sense to use autopkg, which supports very complex, customizable workflows.

I could tell by the awkward silence that my suggestion was confusing to some — that they had trouble grokking how to use autopkg to build packages “from scratch”, using files and scripts on the local disk.

So I created a GitHub repo demonstrating how to use autopkg in this manner. It’s here: https://github.com/gregneagle/autopkg-packaging-demo

munkipkg comes with three demo package projects. Two of the packages install files, the third is a “payload-free” package that simply runs a script when installed. The autopkg-packaging-demo duplicates these packages, but uses autopkg to build them instead of munkipkg.

(One could also imagine building these packages using either tool: the payload and scripts directories would be the same — in other words, you could have both a build-info.plist for munkipkg and a recipe for autopkg in the same package project directory.)

Assuming you have autopkg installed, you can `git clone` the repo, or download and expand the zip file, and run the autopkg recipes within.

I hope this clears up some confusion, and sparks some new ideas!

Accessing More Frameworks with Python

This post is based on a column I wrote for MacTech magazine in 2012. MacTech used to make older columns available online, but they haven’t done that for the past several years for some reason.
I’m planning to go through my older columns and dust off and republish some that I think are still relevant or useful.

Recently, we built a command-line tool using Python and the PyObjC bridge to control display mirroring.
PyObjC supports a lot of OS X frameworks “out-of-the-box”, and accessing them from Python can be as simple as:

include CoreFoundation

But what if the problem you want to solve requires a framework that isn’t included with the PyObjC bindings? In turns out that you can create your own bindings. In this post we’ll explore this aspect of working with Python and OS X frameworks.

OUR SAMPLE PROBLEM

In my organization, we sometimes have a need to set displays to a certain ColorSync profile. The ColorSync profile to use for a given display is a per-user preference, so if you need to set it for all users of a machine, you can’t just manually set it while logged in as one user and call it good.

If you are managing display profiles for a group of machines, or a conference room machine that has network logins, you need a way to manage display profiles for all users. Using MCX or doing some defaults scripting might come to mind. Let’s look at that possibility.

Continue reading “Accessing More Frameworks with Python” →