Granting Munki Full Disk Access

MunkiMunki has been a staple management tool for many MacAdmins for a decade.

However in recent releases of macOS, Munki needs to be granted Privacy Preferences Policy Control permissions to access certain disk locations or update some apps.

Thankfully this has become very easy in the past year thanks to the MacAdmins community.

Read on for details and an example configuration profile.

Which permissions to grant

Granting SystemPolicyAllFiles, more commonly referred to as Full Disk Access, is the most permissive option and will give Munki access to the most files. It is the permission I deploy and is used in my examples below.

Alternatively SystemPolicyAppBundles should allow Munki to update most apps, but might not allow all needed access if you use custom scripts or NoPkgs.

Apple Documentation

Signed releases

In order to grant privacy permissions to Munki, you need to focus on managedsoftwareupdate and not Managed Software Center.app. This binary is signed with an ad-hoc signature that will allow you to grant the needed permissions, but you would have to update your configuration profile after each release.

To avoid this in the past, you would have needed to build and sign Munki yourself. However beginning last year, signed builds are now made available by the Mac Admins Open Source project for each Munki release: https://github.com/macadmins/munki-builds/releases

This greatly simplifies things by allowing you to deploy a configuration profile that generally won’t need to change.

Obtaining the signature

To get the signature needed for the configuration profile install the latest signed release of Munki from the link above. Then run the following CLI command:

codesign -dr - /usr/local/munki/managedsoftwareupdate

Building the configuration profile

Every MDM will have a slightly different interface for creating this privacy profile. But you’ll essentially need two pieces of information, the application path and the signature information from the command above:

Application Path: /usr/local/munki/managedsoftwareupdate

Code Requirement: identifier munkishim and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = T4SK8ZXCXG

Custom configuration profile

If you are building a custom configuration profile you’ll want to note a key difference compared to granting an application privacy permissions. The IdentifierType will need to be path instead of bundleID.

The dictionary should look like this:

<dict>
	<key>Allowed</key>
	<true/>
	<key>CodeRequirement</key>
	<string>identifier munkishim and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = T4SK8ZXCXG</string>
	<key>Identifier</key>
	<string>/usr/local/munki/managedsoftwareupdate</string>
	<key>IdentifierType</key>
	<string>path</string>
</dict>

Example configuration profile

I have a full configuration profile available on my GitHub at this link: https://github.com/kevinmcox/Configuration-Profiles/blob/main/Privacy-FullDiskAccess-Munki.mobileconfig

Getting help

If you need any help please join us in the #munki channel on the MacAdmins Slack.

Leave a Reply

Your email address will not be published. Required fields are marked *