Munki-Enroll tweaked: Leverage DeployStudio’s “Computer Information” fields to customise Munki builds

Munki-Enroll is a useful tool to use when installing the Munki tools on Mac clients. It enables the automated creation of unique client manifests, which makes it easy to change the group manifests of a client remotely at any time using tools like manifestutil, MunkiAdmin or MunkiWebAdmin, utilising the included_manifest key in Munki manifests.

I have tweaked Munki-Enroll in order to leverage a feature of DeployStudio called Computer Information fields. These are four text fields available in the Hostname workflow page.

Screen Shot 2015-06-13 at 21.33.32

The contents of these fields are actually written to a preference file on the host computer at /Library/Preferences/, with key names Text1, Text2, Text3, Text4. If you are using Imagr instead of DeployStudio, you could easily script the use of these fields with commands such as:

sudo defaults write /Library/Preferences/ Text1 "Some text"

I use these fields to determine manifest enrolment using Munki-Enroll. This allows me to have only two DeployStudio workflows for all computers: one for new, out-of-box Macs which don’t require a rebuild, and one for rebuilding Macs. All other imaging variations are determined by Munki manifests. My DeployStudio workflows include installing the MunkiTools package, and then a script which reads the contents of the Computer Information fields and posts them to Munki-Enroll using curl:

COMPFIELD1=`defaults read /Library/Preferences/ Text1`
COMPFIELD2=`defaults read /Library/Preferences/ Text2`
COMPFIELD3=`defaults read /Library/Preferences/ Text3`
COMPFIELD4=`defaults read /Library/Preferences/ Text4`

One could just write the manifest names one wished to include in the client manifest directly into these fields, and pass them to munki-enroll. In my case, I wished to use shortcuts to make inputting quicker, so I added some processing to the script so interpret shortcuts (COMPFIELD1-4) and output manifest names (IDENTIFIER1-4):

Field Shortcut Munki manifest Function
#1 empty
_cg_za – _cg_zf
Default package set for Regular Users
Zone (area) specific packages, including local admin user creation
Zone D Student Laptop build (Open Access)
#2 empty
Default package set (if #1 is set to ZA-ZF)
Join to Active Directory (desktop build)
Join to Active Directory and add managed wifi profile (laptop build)
“Light touch” all-optional build
#3 empty

Do not encrypt
Encrypt the Mac using Crypt

I’m not using the fourth Computer Information field at this time. Of course, your organisation’s manifests are very unlikely to be the same, but I hope this gives you an idea of the flexibility that can be gained using the Computer Information fields with Munki-Enroll. I also use the contents of Computer Information field 1 in my Munki AD-binding package to determine the Active Directory Organisational Unit.

The manifests are then passed to the Munki-Enroll web page using a curl command:

/usr/bin/curl --max-time 5 --data \
"hostname=$LOCALHOSTNAME&identifier1=$IDENTIFIER1&identifier2=$IDENTIFIER2&identifier3=$IDENTIFIER3" \

Note that this is a POST command – a change from the default munki-enroll which uses GET.

The Munki-Enroll script has been tweaked to accept each identifier and add them as included_manifests to the client manifest:

    // Add parent manifest to included_manifests to achieve waterfall effect
    $dict->add( 'included_manifests', $array = new CFArray() );
    if ( $identifier1 != "" )
            $array->add( new CFString( $identifier1 ) );
    if ( $identifier2 != "" )
            $array->add( new CFString( $identifier2 ) );
    if ( $identifier3 != "" )
            $array->add( new CFString( $identifier3 ) );
    if ( $identifier4 != "" )
            $array->add( new CFString( $identifier4 ) );

Take a look at my tweaked version of Munki-Enroll here:

The full enroll.php and scripts:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s