Creating a custom munki installer
In my organization, we offer munki as a self-service package that users can install themselves. This package contains the ‘standard’ munki installer plus the required settings to make the munki client connect to our munki server.
To include the settings we’re using munki-rebrand, a customization script that I wrote in 2014 and that got adopted by the fine people at Oxford IT. Recently Ben Goodstein rewrote the script and the current script is infinitely better than the original.
You’ll need a Mac with Xcode installed and no fear of the Terminal.
Get on with it
First, we create our build directory and put the rebrand script inside. I’m building in
/Users/Shared, but you can pick any directory. Open Terminal.app and start typing (or copy/paste).
cd /Users/Shared git clone https://github.com/ox-it/munki-rebrand.git munki_installer
Now we create our postinstall script which will set up our settings. In my org we only set
ClientIdentifier, but you can add any setting you need.
cd munki_installer echo '#!/bin/bash' > postinstall.sh echo 'SETPREF="defaults write /Library/Preferences/Managedinstalls"' >> postinstall.sh echo '$SETPREF SoftwareRepoURL https://munki.my.org/repo' >> postinstall.sh echo '$SETPREF ClientIdentifier selfservice' >> postinstall.sh
Now we can build the package. To be safe, we use the
tag of the latest munki release (‘v2.8.2’ at the moment). We need root privileges so we start the command with
sudo ./munki_rebrand.py --postinstall='postinstall.sh' --munki-release='v2.8.2' --appname='Managed Software Center'
If you end up with an installer package, good job! If not, retrace your steps and see what went wrong. You can distribute this package with your favorite package distribution tool.
Sign the package
To make the package play nice with macOS GateKeeper, you can sign the package with your developer account. Make sure you have the developer certificate installed in your keychain and run this command (replace the sign string with your own):
productsign --sign "Developer ID Installer: Your Org (X00XX0XX0X)" munkitools-188.8.131.5255.pkg munkitools-184.108.40.20655-signed.pkg
We put up our installer package on an intranet page with some instructions for the end user, but you can use whatever you need to get the package on the machines.
Further customization options
So far we only covered adding a postinstall script, the rebrand script can also rename the App (which was the original purpose) and add a custom icon. Please refer to the munki-rebrand github page for more information.
The default munki installer package installs munki with some default settings that may not fit your organization:
- SoftwareRepoURL: ‘http://munki/repo’
- ClientIdentifier: ‘’
There are several ways to add your required settings to a munki install:
- deploy a seperate ‘settings package’ containing a configuration profile or a script with a couple of
- have a server listening on http://munki/repo with a site_default manifest that contains a package that sets up the config for the real munki server.
- disassemble the munki metapkg and re-assemble with an added settings package.
These methods have their pros and cons, in my org, we opted to go a different route.