For Abuco, I designed a Mac mass management system that is now used by two of its clients. Thanks to it, we are able to easily prepare new computers and centrally manage software and configuration on deployed Macs.:
We collaborated on the project with Vojta Myslivec, who helped me a lot with the configuration of the web server and security. If you are looking for a Linux sysadmin with a focus on security, I can recommend him.
However, technology is evolving, the system looks much different today than it did five years ago. Let’s look at both states.
How it is
Remote Mac management is provided by SimpleMDM connected to Apple Business Manager. New devices are enrolled into the MDM using Automated Device Enrollment. Older devices outside the ABM must make do with the standard Device Enrollment performed manually.
In addition to the configuration profiles, Simple MDM sends an installation package with our automation to the newly connected Mac. It ensures the installation of the Munki client, its configuration and subsequent software installation. The user is informed about the progress by the DEPNotify application.
In the future, we also want to support User Enrollment for BYOD devices. We have federated the clients domain between ABM and Azure Active Directory so that users can use Microsoft credentials for their managed Apple IDs. Data synchronization between ABM and AAD is provided by the SCIM protocol.
How it was
We use the DeployStudio tool to connect new and existing computers to our system. None of the clients has a server infrastructure on which DeployStudio could be run in network mode. Therefore, all its components are located on an external disk with macOS.
DeployStudio allows you to create an automated sequence of actions – workflow, in which you can, for example:
- Install .pkg packages and run scripts the next time you boot system on the target Mac.
- Create users and set the computer name.
- Restore the disk image if we want a “clean” computer.
We use several external disks because multiple technicians handle support directly on-site. Therefore, the disks must be synchronized from the state stored on the server. I wrote my own script to do that using rsync and git.
Installing software and updates
The software is installed using the Munki. Clients download installation files from our server via the Internet. The connection is secured by TLS and authentication. Through Munki we can upgrade macOS or add a new printer.
The vast majority of programs are obtained using the AutoPkg automation framework. Every day, a check is made to see if there is a newer version of any software. If so, it is downloaded and added to the Munki repository. For our part, it is enough to gradually make it available to all Macs.
To maintain control over Apple updates, we set up all clients to search for them on our Apple Software Update server replica. macOS updates are provided by the Linux server running standard web server. Synchronization and maintenance of the repository with updates is provided by Reposado. We also use the Margarita web application to control the Reposado. Through its interface, you can easily set the availability of updates to groups of computers.
We want to be proactive towards users. Each time the Munki client is started, information is sent to the munkireport-php web application. An overview of the status of computers allows us to solve some problems before the user notices them.
Munkireport can gather a lot of information. Noteworthy:
- Complete information about Mac hardware.
- All installed software.
- Wi-Fi network and signal strength.
- Used printers, external displays and Apple bluetooth accessories.