-
Notifications
You must be signed in to change notification settings - Fork 339
Managing Configuration Profiles
Using Munki to manage configuration profiles
(Recent versions of macOS have broken this functionality. See Configuration Profile Emulation for more info and a partial workaround. Ultimately, though, you should be using an MDM server to manage configuration profiles for your managed Macs.)
Since version 2.2, Munki offers "native" support for configuration profiles. Instead of having to wrap a configuration profile in a package to be able to deploy with Munki, Munki supports configuration profiles as an item it knows how to install and remove without "wrapping".
Munki manages system-level configuration profiles, as it runs as root. Enrollment profiles, for configuring the computer to be managed by an MDM server, are not supported.
For configuration profiles not supported by Munki, consider wrapping them in a package with this tool: https://github.com/timsutton/make-profile-pkg
In macOS Big Sur (and presumably beyond), it is no longer possible to use the profiles
command to install profiles. This prevents Munki from installing profiles on Big Sur and beyond. See Configuration Profile Emulation for more info and a partial workaround.
Use munkiimport /path/to/some.mobileconfig
to import a .mobileconfig file into your Munki repo. Like a package, munkiimport will create a pkginfo file, add it to your pkginfo directory, and import the .mobileconfig file into the pkgs directory.
Configuration profiles should use the pkginfo key installer_type
with value profile
to specify that Munki should use the /usr/bin/profiles
command to install the profile. Likewise, an uninstall_method
of remove_profile
specifies that Munki should use profiles
to remove the profile as well.
Upon installing a configuration profile, Munki writes a receipt to the client's Managed Installs directory. Note, this is not the same as the OS X installer package receipts database. When removing a profile, Munki will remove this receipt.
The profiles
command will replace an existing profile with a new profile if the profiles share an identifier. Therefore, the profile's identifier value is used for determining identity. The UUID is not considered.
You can treat a profile item in manifests as you would any other piece of software -- you can add it to managed_installs, managed_uninstalls, optional_installs, etc.
If you need to update a profile, be sure to keep the identifier the same and bump the version number in the pkginfo. Do not attempt to use the PayloadVersion
key inside the profile itself to track your internal version info -- that refers to the version of the configuration profile format -- which to date, is always 1.
When examining whether to install a profile, Munki considers several conditions. If any of these conditions are false, Munki will try to install the profile.
Munki considers the following conditions, in this order:
-
Is the profile's identifier in the output of
profiles -C
?Every profile has an identifier, with a recommended value of a reverse-domain name uniquely identifying the profile. (e.g. com.myorganization.SoftwareUpdateSettings). Munki will compare the profile it is considering installing with the results of
profiles -C
to see if there is a match. For this reason, updates to an existing profile must use the same identifier (but a different version) to be considered for installation. -
Is there a receipt for this profile identifier?
Even if a profile has been manually installed, without a profile receipt, Munki will install the profile.
-
Does the hash of this profile match the receipt's hash_value match?
The hash value is generated by feeding the .mobileconfig file through a sha256 hashing algorithm. The hash is not based on the identifier, nor the UUID.
-
Does the
ProfileInstallDate
from the profile's receipt match theProfileInstallDate
specified byprofiles -C
?In the event that these dates differ, even though the identifier and hash match, Munki will install the profile.
Preference Management with Profiles - Penn State MacAdmins 2016
- Getting Started
- Overview
- Discussion Group
- Demonstration Setup
- Glossary
- Frequently Asked Questions
- Contributing to Munki
- Release Notes
- Introduction
- Managed Software Center in Munki 5.2
- Manual Apple Updates
- force_install_after_date for Apple Updates
- Additional update encouragement
- Aggressive update notifications
- AggressiveUpdateNotificationDays preference
- Additional Munki 5 changes
- Configuration profile notes
- Major macOS upgrade notes
- Upgrading to Munki 5
- Introduction
- Munki Links
- Product Icons
- Screenshots In Product Descriptions
- Client Customization
- Custom Help Content
- Featured Items
- Update Notifications:
- Introduction
- iconimporter
- makepkginfo
- munkiimport
- managedsoftwareupdate
- makecatalogs
- manifestutil
- repoclean
- Preferences
- Default Repo Detection
- Default Manifest Resolution
- Managed Preferences Support In Munki
- Apple Software Updates With Munki
- Pkginfo Files
- Supported Pkginfo Keys
- Pre And Postinstall Scripts
- Munki And AutoRemove
- Blocking Applications
- ChoiceChangesXML
- CopyFromDMG
- nopkg items
- How Munki Decides What Needs To Be Installed
- Default Installs
- Removal of Unused Software
- Upgrading macOS:
- Apple Updates:
- Securing the Munki repo
- Preflight And Postflight Scripts
- Report Broken Client
- MSC Logging
- Munki With Git
- Bootstrapping With Munki
- License Seat Tracking
- LaunchD Jobs and Changing When Munki Runs
- Web Request Middleware
- Repo Plugins
- Downgrading Software
- Downgrading Munki tools
- Authorized Restarts
- Allowing Untrusted Packages
- About Munki's Embedded Python
- Customizing Python for Munki
- Configuration Profile Emulation
- PPPC Privacy permissions
- AutoPkg
- Repackaging
- Creating Disk Images
- Stupid Munki Tricks
- Troubleshooting
- Professional Support
- Known Issues and Workarounds
- Building Munki packages
- Munki packages and restarts
- Signing Munki
- Removing Munki
- More Links And Tools
- Munki Configuration Script
- Who's Using Munki
- Munki 3 Information
- Munki 4 Information
- macOS Monterey Info
- Pkginfo For Apple Software Updates
- Managing Configuration Profiles
- Microsoft Office
- Adobe Products
- Upgrading macOS: