Munki-Enroll tweaked: Leverage DeployStudio’s “Computer Information” fields to customise Munki builds

Munki-Enroll is a useful tool to use when installing the Munki tools on Mac clients. It enables the automated creation of unique client manifests, which makes it easy to change the group manifests of a client remotely at any time using tools like manifestutil, MunkiAdmin or MunkiWebAdmin, utilising the included_manifest key in Munki manifests.

I have tweaked Munki-Enroll in order to leverage a feature of DeployStudio called Computer Information fields. These are four text fields available in the Hostname workflow page.

Screen Shot 2015-06-13 at 21.33.32

The contents of these fields are actually written to a preference file on the host computer at /Library/Preferences/com.apple.RemoteDesktop, with key names Text1, Text2, Text3, Text4. If you are using Imagr instead of DeployStudio, you could easily script the use of these fields with commands such as:

sudo defaults write /Library/Preferences/com.apple.RemoteDesktop Text1 "Some text"

I use these fields to determine manifest enrolment using Munki-Enroll. This allows me to have only two DeployStudio workflows for all computers: one for new, out-of-box Macs which don’t require a rebuild, and one for rebuilding Macs. All other imaging variations are determined by Munki manifests. My DeployStudio workflows include installing the MunkiTools package, and then a munki-enroll.sh script which reads the contents of the Computer Information fields and posts them to Munki-Enroll using curl:

COMPFIELD1=`defaults read /Library/Preferences/com.apple.RemoteDesktop Text1`
COMPFIELD2=`defaults read /Library/Preferences/com.apple.RemoteDesktop Text2`
COMPFIELD3=`defaults read /Library/Preferences/com.apple.RemoteDesktop Text3`
COMPFIELD4=`defaults read /Library/Preferences/com.apple.RemoteDesktop Text4`

One could just write the manifest names one wished to include in the client manifest directly into these fields, and pass them to munki-enroll. In my case, I wished to use shortcuts to make inputting quicker, so I added some processing to the script so interpret shortcuts (COMPFIELD1-4) and output manifest names (IDENTIFIER1-4):

Field Shortcut Munki manifest Function
#1 empty
ZA – ZF
OA
_cg_ru
_cg_za – _cg_zf
_cg_zd_oa
Default package set for Regular Users
Zone (area) specific packages, including local admin user creation
Zone D Student Laptop build (Open Access)
#2 empty
AD
ADL
AO
_cg_ru
_cg_ad
_cg_ad_eduroam
_cg_all_optional
Default package set (if #1 is set to ZA-ZF)
Join to Active Directory (desktop build)
Join to Active Directory and add managed wifi profile (laptop build)
“Light touch” all-optional build
#3 empty
FV

_cg_encrypt
Do not encrypt
Encrypt the Mac using Crypt

I’m not using the fourth Computer Information field at this time. Of course, your organisation’s manifests are very unlikely to be the same, but I hope this gives you an idea of the flexibility that can be gained using the Computer Information fields with Munki-Enroll. I also use the contents of Computer Information field 1 in my Munki AD-binding package to determine the Active Directory Organisational Unit.

The manifests are then passed to the Munki-Enroll web page using a curl command:

/usr/bin/curl --max-time 5 --data \
"hostname=$LOCALHOSTNAME&identifier1=$IDENTIFIER1&identifier2=$IDENTIFIER2&identifier3=$IDENTIFIER3" \
$MUNKI_REPO_URL/munki-enroll/enroll.php

Note that this is a POST command – a change from the default munki-enroll which uses GET.

The Munki-Enroll script has been tweaked to accept each identifier and add them as included_manifests to the client manifest:

    // Add parent manifest to included_manifests to achieve waterfall effect
    $dict->add( 'included_manifests', $array = new CFArray() );
    if ( $identifier1 != "" )
        {
            $array->add( new CFString( $identifier1 ) );
        }
    if ( $identifier2 != "" )
        {
            $array->add( new CFString( $identifier2 ) );
        }
    if ( $identifier3 != "" )
        {
            $array->add( new CFString( $identifier3 ) );
        }
    if ( $identifier4 != "" )
        {
            $array->add( new CFString( $identifier4 ) );
        }

Take a look at my tweaked version of Munki-Enroll here: https://github.com/grahampugh/munki-enroll

The full enroll.php and munki-enroll.sh scripts:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s