Munki 6.3 Official Release

This is the official release of Munki 6.3, a enhancement release of the Munki tools.

Changes since beta 3:

• Build script improvements to support signing and notarization. Thanks to @erikng

Enhancements

• /usr/local/munki/managedsoftwareupdate is now a compiled binary. This makes it much easier to grant Munki PPPC/TCC permissions (like Full Disk Access) without having to grant too-wide permissions to /usr/sbin/installer or to Munki's embedded Python.
  In the package attached to this release, the binary is ad-hoc-signed only. You can create a PPPC/TCC configuration profile with the ad-hoc signature, but the designated requirement will change with each build/release. Consider signing the binary with your own Developer ID, or using the build at https://github.com/macadmins/munki-builds/releases.
• The make_munki_mpkg.sh script has been updated to (optionally) sign the managedsoftwareupdate binary. Thanks to @korylprince. 9006c81
• The make_munki_mpkg.sh script has been updated to (optionally) sign the Python framework, and to sign the applications in a way more compatible with notarization. Thanks to @erikng (6c27df4)
• The embedded Python version has been bumped to 3.10.10. (3.11.2 was tried but there is a nasty upstream Python.org build bug in Python 3.11 that must be resolved). Additional Python modules have also been updated to current versions.

Other changes

• In earlier Munki releases, /usr/sbin/installer was executed via a launchd job. This worked around issues seen with Microsoft Office installers many years ago. This arrangement breaks the proper determination of the "responsible process" for PPPC/TCC protections. (Since launchd is directly launching installer the responsible process is installer itself.) So in this release, /usr/sbin/installer is now run via the Python subprocess module. It is possible (though unlikely) this might cause some packages that previously could be successfully installed via Munki to fail. If you encounter this, please file an issue.
• MACOSX_DEPLOYMENT_TARGET has been set to 10.13 for all of the GUI apps and the compiled managedsoftwareupdate wrapper, as 10.13 is the lowest macOS version supported for deployment by Xcode 14. Functionally, this means dropping official support for macOS < 10.13, though the code may be able to be built successfully on older versions of Xcode and older macOS versions.

A complete list of changes from the 6.2.1 release is here: v6.2.1...v6.3.0
A complete list of changes from 6.3 beta 3 is here: v6.3.0b3...v6.3.0

Build info

The GUI apps and the Python framework were built under Xcode 14.2 on macOS 13.3.1. Other versions of Xcode have not been tested and may cause different results.

Package versioning

• Distribution package version: 6.3.0.4574
• munki core tools version: 6.3.0.4556
• LaunchAgents/LaunchDaemons version: 3.0.3265
• Apps package version: 6.1.0.4573
• Python package version: 3.10.10.4574

Signed/notarized builds

Thanks to the efforts of @erikng and @natewalck, signed and notarized builds of Munki tools packages are made available at https://github.com/macadmins/munki-builds/releases. There may be a delay for new releases -- please be patient.

Attachment info

The munkitools-6.3.0.4574.pkg attachment available here is an unsigned and unnotarized package that should install without requiring a restart unless upgrading from an extremely old Munki tools (like one of the 3.x releases or earlier). It should be suitable for most initial deployment scenarios, including those driven by DEP/ADE. It does not include a component to trigger "bootstrapping" or any other automatic run of the tools after installation. A signed and notarized version of this package should be available eventually at https://github.com/macadmins/munki-builds/releases.