So you’ve set up Munki to deploy software to your Macs by following the basic set up here: Set up Munki, and now you want to set it up more securely.
You need two things. 1) a cert and 2) a secure repo
- TRUST US
The optimal situation is a trusted secure certificate for your server from a reputable certificate authority, if you don’t have that, or want to use the self-signed certificate your server has then your Munki Mac clients will need to trust this certificate.
Export out the cert from Server Admin if you’re using that to manage your Mac mini server. Place this cert file on your clients (using ARD, or other methods) then use the security command to get the Mac clients to trust this cert.
security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “/private/tmp/name-of-server.cer”
REFERENCE: Rich Trouton’s blog goes into more detail and details a way to script this.
- SECURE IT
Use htpasswd to add a password to your Munki repo.
htpasswd -c .htpasswd munki
Edit the htaccess info
AuthType Basic AuthName "Munki Repository" AuthUserFile /path/to/your/munki/repo_root/.htpasswd Require valid-user
Encode this password for Munki:
python -c 'import base64; print "Authorization: Basic %s" % base64.b64encode("USERNAME:PASSWORD")' Authorization: Basic VVNFUk5BTUU6UEFTU1dPUkQ=
Push out this password to your Munki clients with ARD (or use some other method)
defaults write /Library/Preferences/ManagedInstalls.plist AdditionalHttpHeaders -array “Authorization: VVNFUk5BTUU6UEFTU1dPUkQ=”
Change the Munki RepoURL on all your clients to use the new secure URL
defaults write /Library/Preferences/ManagedInstalls SoftwareRepoURL “https://munkiserver/munki_repo”
Consult the Munki Wiki for: Basic authentication setup for Munki
Ala Siu’s excellent write on securing munki
Consider using a server made for securing Munki, like the Squirrel server from the MicroMDM project. More on this in another blog post.
Consider using certificate from a known reputable certificate authority such as Let’s Encrypt (the Squirrel server above automates the setup with Let’s Encrypt).
Another project which seeks to combine all these open source projects in the Munki ecosystem is Munki in a Box. There’s a secure branch of this project which setups a basic authentication as well but while it aims to simplify setting up a secure Munki it may be a bit confusing to set up at first glance. Test, and test again.