Munki has been a staple management tool for many MacAdmins for a decade.
However in recent releases of macOS, Munki needs to be granted Privacy Preferences Policy Control permissions to access certain disk locations or update some apps.
Thankfully this has become very easy in the past year thanks to the MacAdmins community.
Read on for details and an example configuration profile.
Which permissions to grant
Granting SystemPolicyAllFiles
, more commonly referred to as Full Disk Access, is the most permissive option and will give Munki access to the most files. It is the permission I deploy and is used in my examples below.
Alternatively SystemPolicyAppBundles
should allow Munki to update most apps, but might not allow all needed access if you use custom scripts or NoPkgs.
Signed releases
In order to grant privacy permissions to Munki, you need to focus on managedsoftwareupdate
and not Managed Software Center.app. This binary is signed with an ad-hoc signature that will allow you to grant the needed permissions, but you would have to update your configuration profile after each release.
To avoid this in the past, you would have needed to build and sign Munki yourself. However beginning last year, signed builds are now made available by the Mac Admins Open Source project for each Munki release: https://github.com/macadmins/munki-builds/releases
This greatly simplifies things by allowing you to deploy a configuration profile that generally won’t need to change.
Obtaining the signature
To get the signature needed for the configuration profile install the latest signed release of Munki from the link above. Then run the following CLI command:
codesign -dr - /usr/local/munki/managedsoftwareupdate
Building the configuration profile
Every MDM will have a slightly different interface for creating this privacy profile. But you’ll essentially need two pieces of information, the application path and the signature information from the command above:
Application Path: /usr/local/munki/managedsoftwareupdate
Code Requirement: identifier munkishim and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = T4SK8ZXCXG
Custom configuration profile
If you are building a custom configuration profile you’ll want to note a key difference compared to granting an application privacy permissions. The IdentifierType
will need to be path
instead of bundleID
.
The dictionary should look like this:
<dict> <key>Allowed</key> <true/> <key>CodeRequirement</key> <string>identifier munkishim and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = T4SK8ZXCXG</string> <key>Identifier</key> <string>/usr/local/munki/managedsoftwareupdate</string> <key>IdentifierType</key> <string>path</string> </dict>
Example configuration profile
I have a full configuration profile available on my GitHub at this link: https://github.com/kevinmcox/Configuration-Profiles/blob/main/Privacy-FullDiskAccess-Munki.mobileconfig
Getting help
If you need any help please join us in the #munki channel on the MacAdmins Slack.