Historically I have always configured our MunkiReport Machine Groups with a configuration profile delivered via Munki. However starting with macOS Big Sur, the ability to manage profiles from the command line was removed meaning Munki can no longer install or remove them.
One option would have been to move these configuration profiles to our MDM as I did for our other profiles. However I didn’t want to duplicate the effort of managing computer group assignments in both Munki and MDM.
Since maintaining groups in Munki to aid in software deployments is still required, I decided to use NoPkgs to configure our MunkiReport Machine Groups. This way they will be automatically changed whenever a computer gets moved to a different group (via included manifest). Read on for the details.
The key to making this work is that I follow Alan Siu’s opinionated guide to Munki manifests. Every computer in my fleet has a serial number manifest which in turn has various included manifests that help define the available software.
C02L13ECXXXX ├─ Technology ├─ Notebooks ├─ Common Software
My MunkiReport PkgInfos, one for each machine group, go in that second level “departmental” manifest. This way if I reassign a computer to a new department, by changing its included manifest, it will automatically switch machine groups in MunkiReport.
The NoPkg consists of four scripts to do the work. You need to configure your desired group name or key in the first two.
For applying the change we first use an installcheck_script to evaluate the status:
#!/bin/sh # Check to see what passphrase is currently configured CURRENTGROUP=$(/usr/bin/defaults read /Library/Preferences/MunkiReport Passphrase) # Is the passphrase configured correctly? if [ "$CURRENTGROUP" = "technology" ] then /bin/echo "The MunkiReport machine group is configured correctly." exit 1 else /bin/echo "The MunkiReport machine group needs to be changed." exit 0 fi
The postinstall_script is executed if installation is needed:
#!/bin/sh /usr/bin/defaults write /Library/Preferences/MunkiReport Passphrase 'technology'
To remove the configuration the uninstallcheck_script is run first:
#!/bin/sh # Is the passphrase configured? if ! /usr/bin/defaults read /Library/Preferences/MunkiReport Passphrase then /bin/echo "The MunkiReport machine group is not configured." exit 1 else /bin/echo "The MunkiReport machine group needs to be deleted." exit 0 fi
The uninstall_script is then executed if uninstallation is necessary:
#!/bin/sh /usr/bin/defaults delete /Library/Preferences/MunkiReport Passphrase
An uninstallation is not needed to simply change groups as the newly assigned NoPkg will overwrite the key from the old one.
A full example PkgInfo file can be found on GitHub: https://github.com/kevinmcox/Munki-NoPkgs/blob/main/MunkiReportGroup.pkginfo