Thanks very much to the folks at Amsys for having me out to London to present my talk this year at MacADUK, called Munki Mistakes Made Right. Over the last few years, I’ve done probably 25 munki installations, in groups as small as a few clients, or as many as a hundred. There are always challenges in implementing Munki well, especially as the product matures and grows and the ecosystem around it changes to add tools like autopkg, Jamf Pro, and other solutions that can be co-implemented with Munki.
I’ve learned a lot from my implementations, and I want to share that with everyone, that, as the saying goes, that my mistakes may be avoided for future generations of admins. I’ve prepared a few sections of this presentation on various mistakes I’ve made (security mistakes, configuration mistakes, catastrophic mistakes) and how we addressed them in practice. This talk shouldn’t be seen as totally conclusive of all the mistakes that one can make – folks are always coming up with new and creative ways to break things, as well they should – but it’s a good place for me to talk about the ways we’ve been changing our existing environments to make them better, stronger, and faster.
There are some things that I’ve released recently, code-wise, that get callouts in this presentation, and I want to make sure they’re called out clearly here for ease of use:
Munki in a Box 1.5.1
I released Munki in a Box 1.5.1 last week, and it was largely a maintenance release. The following changes should have been expected: by default, Munki in a Box will now setup HTTP Basic Auth set on a password of your choosing. In addition, it’s designed to be used with an HTTPS-native server, which you should be using anyway. The old security branch, which 1.5.0 was based on was something that walked that line, but it was time to fold that branch back in. So I did.
In addition, MIAB 1.5.1 now creates local overrides for all the autopkg recipes that are specified in the initial command variable, to better handle the trust package portion of autopkg.
Change Munki, Tell Slack
As part of the talk, I’m going to explain why a configuration manager or Mac-capable MDM is your best friend, but facing a lack of those for budgetary or administrative reasons, I’m going to give you a tool to deploy changes to your fleet in reportable ways.
If you just need to change one setting, there’s Change Munki, Tell Slack.
If you need to change an array of settings, there’s Change Munki, Tell Slack Many Things.
Both will handle a scripted change of your Munki preferences file and pass that information along to a Slack channel of your choosing via a webhook.
Slides & Notes
I’m making my slides and presenters notes available as a PDF for Download, in case you might enjoy it. If you have comments on the scripts above, please let me know, or suggestions for converting them to python, both are welcome.
Last night, I presented at MacDMV on the importance of Testing iOS 10 and Sierra in your environment. The slides and presenters notes are available as a PDF Download. You can also watch the presentation below via Facebook video. The presentation begins about 3:30.
Testing Sierra and iOS 10 is incredibly important, because you need to be ready on Day 1 in case your users update ahead of your wishes. You need to know whether you can make your existing systems work, or if you’re going to have to expend the political capital to roll them back. Do you have a testing setup? Do you have a testing plan? Do you know how to submit good feedback to Apple? This presentation will help.
I’ve also built a Sample Testing Checklist for your environment, available as a PDF below, and also as an editable OmniOutliner file so you can make your own editable list.
Below are the slides for my 2016 Talk at MacDevOps on Securing Munki. The talk was a good way to revisit what I’ve done with Munki in a Box and discuss some of the maybe not-so-great choices that were made along the way to get to where we are now with the security branch.
The talk focuses on the nature of the munki transaction, and where your deployment system can be vulnerable to attacks from casual interference, dedicated individuals with a grudge or a motive, or larger actors. There is also some advice about how to mitigate the problems that are presented by the architecture.
I’m not a fulltime security anything, but I’ve learned a lot in the last year by doing things that maybe aren’t advisable any longer. So, to anyone who used MIAB before 1.5.0 beta 2, there’s some work you should do to secure your repository if you meet certain use cases, and I strongly recommend that you adopt SSL encapsulation of the munki transaction, and the use of HTTP Basic Auth to secure your repository against prying eyes.
I’ll be making some changes to MIAB over the summer to automate the creation of a CA and enrollment of device certificates using the micromdm scep library and a web server that actually isn’t part of Server.app (likely to be the Go-based Caddy server as described by Viktor in a great blog post)
Chris Dawe from Wheelwrights LLC and I co-presented this deck at the Mac Admin & Developers Conference in London on Tuesday, February 9th 2016. Our focus was on leveraging native, 3rd party, and cross platform tools to help manage, troubleshoot and plan small, medium and large-scale WiFi networks across sites large & small.
Our presentation notes are available for download as a PDF file: A WiFi Toolkit – MacAdUK 2016
Some tools that we’ve mentioned include:
- Adrian Granados – WiFi Explorer (MAS and non-MAS)
- Adrian Granados – AirTool (free)
- Adrian Granados – WiFi Signal (MAS)
- Wireshark – Free & OS
- Open Source – Kismac (free)
- Etwok – NetSpot (non-MAS)
- Ekahau – SiteSurvey (Windows)
- Metageek – Chanalyzer (Windows)
- Metageek – InSSIDer Office (Mac + Windows)
Some resources that are helpful:
- Wireshark Cheat Sheet for Wi-Fi (PDF Download)
- Revolution Wi-Fi
- Wi-Fi Trek: Prague
- Apple iOS Deployment Guide (PDF Download)
- MacAdmins Slack – channels #wifi #networknerdery #meraki #aerohive
- Cisco Best Practices Guide for Apple Device Deployment (PDF Download)
- Aerohive High Density Network Design Guide (PDF Download)
- Meraki High Density Microsite
A presentation from the MacTech Conference, 2015, in Los Angeles, CA.
My presentation from the Penn State Mac Admins Conference, 2015.
You can download a PDF copy if you like.