Using Munki to manage Profiles from Profile Manager
Sometimes, you want to use a profile to enforce some OS X settings. Whether you're moving away from MCX or Profile Manager is isn't delivering your profiles, you can use Munki to push it out.
You will still need Profile Manager to make profiles, or you can use MCX to Profile to convert your MCX to .mobileconfig (profile!). Then wrap your profile into a .pkg with this tool: make-profile-pkg
It will even generate a recipt and an uninstall shell script to remove the the profile should you ever need to uninstall it! (Or put it in Munki as the uninstall script)
You can use this InstallCheck_Script for Munki to ensure that your profile is installed.
InstallCheck_Script:
#!/bin/sh
# Check if the profile is installed with Munki
HasProfile=$(/usr/bin/profiles -C | /usr/bin/grep "com.apple.mdm.mymdmserver.mydomain.com.12345678-9984-0130-2b83-406c8f235887.alacarte")
# The version of the package
PKG_VERSION="2014.07.08"
# The identifier of the package
PKG_ID="com.github.makeprofilepkg.Settings_for_bss-base"
# The version installed from pkgutil
VERSION_INSTALLED=$(/usr/sbin/pkgutil --pkg-info ${PKG_ID} | /usr/bin/grep version | /usr/bin/sed 's/^[^:]*: //')
if [ -z "${HasProfile}" ]
then
# Empty String - Not installed
exit 0
else
if [ "$VERSION_INSTALLED" = "$PKG_VERSION" ]
then
# Has a matching pkg version and profile identifier - Is installed
exit 1
else
# Has a matching profile identifier but the pkg version is not the same - Not installed
exit 0
fi
fi
Make sure you edit the InstallCheck_Script to match your profile identifier. The reason you would want Munki to check the identifier instead of the receipt is because that will stay even if you manually remove the profile. This script will check profiles instead to make sure it's actually active.
So now you have your InstallCheck_Script, you have your .mobileconfig wrapped in a .pkg as the payload, you have your uninstall script. They are all ready to go into the appropriate place in Munki.