Automating Manual munki Imports with autopkg – Part 1: macOS Installers (Erase & Install)

Before recently leaving my current job, I started to go through a number of my processes for manually importing various software titles in a last-ditched effort to transition these tasks into something more automated. Taking inspiration from the Adobe 2020 autopkg recipes and since the download / collection part for some software has to be done manually, I decided to work on creating autopkg recipes to more easily bring these software titles into our munki_repo.

In this series, I’m going to walk through and discuss the challenges of bringing some of these software items into munki with autopkg. The intended use of these recipes is that an admin would copy the software installer into a desired folder which the recipe would reference and process accordingly. Any of the setup of autopkg or munki is far outside the scope of this and future posts.

In this first part, my focus is on importing macOS installers, intended specifically for use in an erase & install configuration.

See past the jump for more info.

There is nothing terribly complicated or challenging about importing a macOS installer into munki. This is an item that admins deal with quite regularly, and one which munki knows how to handle.

That being said, there is one area that as of this writing you can’t quite fully automate as part of an import: including startosinstall parameters for a macOS erase and install. Support in munki for the startosinstall options was introduced in 2017 when the osinstaller.py module was added, and included options like --agreetolicense (among others) by default. It was later updated to include more admin-specified options within an additional_startosinstall_options array defined in a munki item’s pkginfo file. There are no options in munkiimport to include this array as part of an import. I would argue that the use case is small enough that adding the functionality and checks to include this natively isn’t worth the effort, and thus an autopkg recipe to handle this is ideal.

I was previously manually importing the desired macOS installer with munkiimport and then duplicating the resulting pkginfo file in order to add the additional_startosinstall_options array with the necessary erase options shown below:

<key>additional_startosinstall_options</key>
<array>
	<string>--eraseinstall</string>
	<string>--newvolumename</string>
	<string>Macintosh HD</string>
</array>

Per Daz Wallace’s blog post on completing erase & installs however, an installcheck_script is also required in order to force munki to perform the desired macOS install since by default munki will not do this if the same major version is already installed. Per the wiki, an installcheck_script exit status of 0 will indicate that the specified software needs to be installed, so a script that does only that is sufficient.

#!/bin/sh
exit 0

Import Recipe

Unlike most recipes that start with a .download and then work their way toward a .munki recipe, the assumption here (and for the rest of the items in this series) is that an admin is using other tools (like installinstallmacos.py) or mechanisms to collect the desired software ahead of time and therefore only needs to run this recipe periodically.

As with any recipe that involves an unknown file name and the possibility of different locations, using the FileFinder processor is essential. In my recipes, I supply a PATH input variable to allow specifying where the recipe should look for a DMG containing the macOS installer app. Additionally, since we can’t assume things will remain the same across OS versions separate recipes for each major OS is a must.

All that’s left is to add the necessary additional_startosinstall_options array and installcheck_script as recipe input variables within the larger pkginfo array. Example below:

<key>additional_startosinstall_options</key>
<array>
    <string>--eraseinstall</string>
    <string>--newvolumename</string>
    <string>Macintosh HD</string>
</array>
<key>installcheck_script</key>
<string>#!/bin/sh
# Force munki to run macOS installer, even though the machine may already have the same major macOS version installed.
exit 0</string>

You can find the final recipes for macOS Mojave and Catalina here: https://github.com/autopkg/apizz-recipes/tree/master/macOSEraseInstall.

Using the Recipe

Per the instructions in the recipe description and README (be sure you’ve added my recipe repo – https://github.com/autopkg/apizz-recipes.git):

  1. Create a recipe override of this recipe.
  2. Use installinstallmacos.py to create a compressed DMG of the desired macOS installer.
  3. Copy the downloaded DMG onto your machine running autopkg in the folder specified in the PATH variable. Don’t include a trailing ‘/’.
  4. Run the recipe.
  5. Profit.

The end result is a macOS munki item that when run will erase and install the target Mac. If you happen to not want an erase & install munki item, simply remove the additional_startosinstall_options array.

Looking Ahead

While I’ve written these recipes for munki, there is no reason why someone couldn’t copy this format to create .pkg and .jss recipes for a macOS erase & install configuration. I have no personal experience importing software via autopkg & JSSImporter into a Jamf DP, so I’m uncertain whether or not it’s possible to similarly have a postinstall script be added to a created policy to achieve the same ends …

If you have questions or comments, post them below. Otherwise, if this was helpful give it a like!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s