Quick Notes on Munki powered by SimpleMDM (…and how this works along Zentral open-source)

Zentral Pro Services
4 min readJun 16, 2020


Last week on Friday, Taylor Boyko, Founder and CEO at SimpleMDM, announced they will launch Munki powered by SimpleMDM short after the MacDevOps:YVR conference .

Today we begin the technology preview for an exciting addition: Munki powered by SimpleMDM. Using Munki has traditionally required additional administrative effort to configure and maintain Munki clients and a repository. With this release, a tightly integrated, hosted Munki deployment is now available out-of-the-box for SimpleMDM admins.

The full-length announcement can be read here

Now a just a few days later, the technology preview is already live at the customers that have requested to be included in the technology preview.

For the moment, the new feature is only available on request. To be included, simply send the support a quick mail with your request.

The support team will verify if you don’t currently have a conflicting setup (such as exiting Munki pkg used already) and then process your account to get updated. The team at SimpleMDM is extremely fast in enrolling customers with the new features.

Meanwhile, some fellow #macadmins like Erik Gomez already have their hands down with the new features. He did a a bit of a security review last night, read some insights he shared over here: https://twitter.com/Contains_ENG/status/1272673299106054145 and here https://twitter.com/Contains_ENG/status/1272673698454044672

Earlier today, we had a chance to quickly test out the Munki powered by SimpleMDM tech preview and try to validate things play well along with our Zentral open-source server. As everything is based on Munki 5 we didn’t expect many issues and can confirm things work beautifully.

Below are some brief notes on our initial findings ( subject to change/get revised once we learn more). We’ll further look into at next round of features to go live and update information coming from the community here in a shortlist of links:

Upload and assign Apps

Apps get uploaded in App & Media > Catalog > Upload macOS binary section.

On the enrolled macOS client, a SimpleMDM Agent app will automatically get intalled and launch, it will be visible as a menu bar App, and allow to open the Munki Managed Software Center (MSC) from here.

For Apps to be installed by Munki and (optionally) become visible MSC you first have to upload them to the SimpleMDM. Then you can make your assignmenst to install Apps either automatically or provide them as a Self Service item in the MSC.

The Munki configuration is pushed automatically as a Configprofile via MDM. All Munki related files are installed at the common paths for Munki, such as Applications or /Library/Managed Installs/ . The MSC installed automatically is currently version

Note: Packages must be signed product archives to be accepted by macOS and SimpleMDM.

We briefly tested the Zentral related additions to Munki 5.0 and those work fine for us — inventory data is pushed to Zentral and there is no difference in operation to other Munki deployments here (see screenshots below).

Usually, typical extra installs are performed to connect Munki with a Dashboard Service such as Sal or Munki Report PHP . We haven’t tested both yet in the setup with SimpleMDM but in general this should work fine too, as long as you use signed product archives here.

DMG files — simple ones work easily

  • You can upload simple .dmg files via drag and drop to the Catalog section
  • The DMG will be analyzed, the Icon gets extracted and you can assign the App

Pkg files —they need to be signed product archives

  • To upload a .pkg they all need to be signed product archives before they will become available and actually for Munki assignments. Just an uploaded .pkg file and assignment is not enough here.

As before here the use signed product archives is a must requirement and applies to the majority of .pkgs acquired by AutoPkg, including Vendor/Project .pkg builds from GitHub — in doubt try to (re)sign with productsig prior uploading to SimpleMDM.

Something along the command below should work to sign the pkgs — you must have a Apple Developer Account for this to work.

/usr/bin/productsign --sign "Developer ID Installer: Your Apple Account Name (**********)" Zoom-5.1.27838.0614.pkg ~/Desktop/Zoom-5.1.27838.0614.pkg-signed.pkg

Assignment to install

You have several groups available for App assignments either install automatically, tagged “munki managed” or present in MSC, tagged “munki self serve”.

After you have made changes in App assignments you want to Update the Catalog so the update can be applied with Munki running on the endpoint.

macOS Endpoint Agent (quick install & connect validation)

For a quick compatibility with Munki powered by SimpleMDM and our Zentral open-source project, we did run an assignment with some beloved and popular macOS endpoint agents that all can connect to Zentral.

The following list of endpoint agents worked nicely* as expected (all .pkg uploaded as signed product archive, deployed with Munki powered by SimpleMDM):

  • osquery-4.3.0-signed.pkg
  • santa-1.1.3-signed.pkg
  • zentral_munki_enroll-signed.pkg
  • zentral_osquery_enroll-signed.pkg
  • zentral_santa_enroll-signed.pkg

*Note: To run and fully operate above security agents on the macOS endpoints you must deploy accompanying configuration profiles to allow Security Extension and set TCC profiles via SimpleMDM.

Enrolled to Zentral — macOS client + Osquery + Santa with Munki powered by SimpleMDM
Managed Software Center — showcase install for common macOS Security agents (usually installed in background automatically)

The new features in the tech preview for Munki powered by SimpleMDM are pretty cool and a great addition to SimpleMDM.

Thanks to the SimpleMDM team to introduce this new feature for #macadmins.



Zentral Pro Services

We’re the developers behind Zentral. We operate a consultancy business, provide expertise and services all around Mac management. Contact: https://zentral.com