Posts Tagged ‘Managed Software Update’

Pulling Report Info from MunkiWebAdmin

Wednesday, November 6th, 2013

Alright, you’ve fallen in love with the Dashboard in MunkiWebAdmin – we don’t blame you, it’s quite the sight. Now you know one day you’ll hack on Django and the client pre/postflight scripts until you can add that perfect view to further extend it’s reporting and output functionality, but in the meantime you just want to export a list of all those machines still running 10.6.8. Mavericks is free, and them folks still on Snow Leo are long overdue. If you’ve only got a handful of clients, maybe you set up MunkiWebAdmin using sqlite(since nothing all that large is actually stored in the database itself.)

MunkiWebAdmin in action

Let’s go spelunking and try to output just those clients in a more digestible format than html, so I’d use the csv output option for starters. We could tool around in an interactive session with the sqlite binary, but in this example we’ll just run the query on that binary and cherry-pick the info we want. Most often, we’ll use the information submitted as a report by the pre- and postflight scripts munki runs, which dumps in to the reports_machine table. And the final part is as simple as you’d expect, we just select all from that particular table where the OS version equals exactly 10.6.8. Here’s the one-liner:

$sqlite3 -csv /Users/Shared/munkiwebadmin_env/munkiwebadmin/munkiwebadmin.db\
 "SELECT * FROM reports_machine WHERE os_version='10.6.8';"

 


And the resultant output:
b8:f6:b1:00:00:00,Berlin,"","",192.168.222.100,"MacBookPro10,1","Intel Core i7","2.6 GHz",x86_64,"8 GB"...

You can then open that in your favorite spreadsheet editing application and parse it for whatever is in store for it next!

LOPSA-East 2013

Monday, March 18th, 2013

For the first year I’ll be speaking at the newly-rebranded League of Extraordinary Gentlemen League of Professional System Administrators conference in New Brunswick, New Jersey! It’s May 3rd and 4th, and should be a change from the Mac-heavy conferences we’ve been associated with as of late. I’ll be giving a training class, Intro to Mac and iOS Lifecycle Management, and a talk on Principled Patch Management with Munki. Registration is open now! Jersey is lovely that time of year, please consider attending!

 

LOPSA-East '13

More fuel for the Simian fire – how does free sound?

Thursday, March 15th, 2012

Well we’ve been busy keeping our finger on the pulse of the Mac-managing open source community, and that genuine interest and participation continues to pay off. Earlier, we highlighted how inexpensive and mature the Simian project running on Google App Engine (GAE for short) is, although as of this writing refreshed documentation is still forthcoming. In that article we mentioned only one tool needs to be run on a Mac as part of maintaining packages posted to the service, and an attempt is being made to remove even the need for that. This new project was originally announced here, and has a growing number of collaborators. But that isn’t the biggest news about Managed Software Update (Munki) and Simian we have to announce today.

A technique that had been previously overlooked is now proven to be functional that allows you to use Simian as the repository of all of your configurations, but serve the actual packages from an arbitrary URL. Theoretically, if you take the publicly available pkginfo files, modify them to point to a web server on your LAN, (or even the vendors website directly, if you want them to be available from anywhere,) and your GAE service would fall under the free utilization limits with very little maintenance effort. This is big for institutions with a tight budget and/or multiple locations that want to take advantage of the App Engine platforms availability and Simian’s great interface. Beyond helping you save on bandwidth usage, this can also help control where your licensed software is stored.

Previously people have wished they could adapt Google’s code to run on their local network with the TyphoonAE beta project, but versus the recommended & supported method to deploy the server component, this is a great middle ground that brings down a barrier for folks having difficulty forecasting costs.

It’s an exciting time, with many fully-featured offerings to consider.

Munki’s Missing Link, the Simian Server Component from Google

Tuesday, March 13th, 2012

At MacWorld 2011, Ed Marczak and Clay Caviness gave a presentation called A Week in the life of Google IT. It included quite the bombshell, that Google was open-sourcing its Managed Software Update (Munki) server component for use on the Google App Engine (or GAE). Some began immediately evaluating the solution, but Munki itself was still young, and the enterprise-intent of the tool made it hard for smaller environments to consider evaluating. Luckily, the developers at Google kept at it, and just like GAE graduated from beta and other Google products got a facelift, a new primate now stands in our midst (mist?): Simian 2.0!

With enhancements more than skin deep, this release ups the ante for competing ‘munkiweb’ admin components, with rich logs and text editor-less manifest generation. For every package you’d like to distribute, only one run of the Munki makepkginfo tool is required – the rest can be done with web forms. No more ritual running of makecatalogs, just click the snazzy buttons in the interface!

Unlike the similarly GAE-based Cauliflower Vest, Simian does not require a Google account for per-client secure transmission, which makes evaluation easier. While GAE has ‘billable‘ levels, the free version allows for 1GB of storage with 1GB of upload and… yup, 1GB of download. While GAE may not be quite as straightforward to calculate the cost of as other ‘Platform as a Service’ offerings, it is, to use a phrase, ‘dumb cheap’. The only time the server’s instance would cost you during billable operation is when Admins are maintaining the packages stored, or when clients are actively checking in (by default once a day) and pulling packages down. As Google ‘dogfood’s the product, they have reported $.75/client per YEAR in the way of GAE-related costs.

Getting started with Simian is not a walk in the park, however: you must wrap your brain around the concept of a certificate authority (or CA), understand why the configuration files are a certain way based on the Simian way of managing Munki, and then pay close attention as you deploy your customized server and clients. Planning your Simian deployment starts with either creating or reusing an existing certificate authority, which would be a great way to leverage Puppet if it’s already running in your environment. Your server just needs to have its private key and public certificate signed by the same authority as the clients to secure their communication. Small or proof-of-concept deployments can use this guide to step you through a quick Certificate Authority setup.

When it comes to the server configuration, it’s good to specify who will be granted admin access, in addition to the email contact info for your support team. The GAE instance requires a Google account for authentication, and it is recommended that access is restricted to users from a particular Google Apps domain (free or otherwise). One tripping point is when allowing domain access to the GAE instance, you need to go to a somewhat obscure location in your GoogleApps dashboard (linked from above where the current services are listed on the dashboard tab, as pictured):

Ready to take the plunge? Once configurations have been set in the three files specified in the wiki, and the certs you’ll use to identify and authenticate your server, CA, and a client are stowed in the appropriate directories, go ahead and send it up to the great App Engine in the sky.

See our follow-up article

Patch Management (and More) for Macs with Managed Software Update

Friday, March 2nd, 2012

When compared to Linux distributions, Mac OS X has lacked a standard, built-in package management system. Although network based software is still a possibility with OS X’s Unix foundation, in practice it is used in very few environments. The fact that developer tools are not included by default raises the barrier to entry for all systems that purport to allow simplified installation of software, and much has been made of the Mac App Store filling the void for mere mortals.

Businesses, however, have engaged software companies to acquire volume licenses, which simplify asset tracking and deployment concerns. Employees expect certain tools to be available to them, and support personnel carefully monitor the workstations under their purview to proactively address security concerns and stability issues. The Mac App Store was not designed with these concerns in mind, and even projects like MacPorts and Homebrew lack the centralization that configuration and patch management systems provide.

Managed Software Update (MSU for short) is an application developed by Greg Neagle of Walt Disney Animation Studios to provide and end-user interface to a businesses centrally managed software repository. It relies upon a larger project called Munki (calling to mind helper monkeys) that requires little infrastructure to implement. Workstations can be managed at a company-wide, department, and individual level, with as much overlap as makes sense. And just as the thin or modular imaging methods utilize packages as their building blocks to modify an images configuration, MSU can enforce settings just as well as it can insure security patches are installed in a timely fashion.

Among other benefits, MSU gives IT the power to uninstall software when it would be better provisioned elsewhere, provide a self-service interface to approved software, and takes away the number one source of friction for employees: “Why can’t I be an administrator so I can install my own software and updates, like I can at home?”

With Managed Software Update, businesses can now safely and efficiently address this concern.