A collection of conditional items scripts for munki.
This is experimental. Please test that they work for you in your environment.
After cloning, run ./build.sh
, the resulting package is generated in ./dist/pkg/
.
The postinstall
script re-writes the shebang in the processor files if /usr/local/munki-python
is found.
Delete any processor you don't want to have run. An installer pkg that has a choices XML capability may be built in the future.
All binaries called by the processors exist in macOS 10.15.7+. No intention to make these backwards compatible with older macOS versions.
Raise an issue here https://github.com/carlashley/munkicon/issues.
To get any errors that might end up in stdout
/stderr
, manually execute the processors and copy+paste any output into the issue:
for i in /usr/local/munki/conditions/com.github.carlashley.munkicon.*.py; do $i; done
Usefule in determining various states/results pertaining to FileVault.
- Generates eight conditions:
-
filevault_active
is a booleanTrue
/False
based on FileVault being active or inactive. This differs fromfilevault_status
. Use this to determine if the disk has been encrypted and therefore FileVault is on.
-
filevault_decryption_in_progress
is a booleanTrue
/False
if decryption is in progress (True
), or not in progress (False
).
-
filevault_deferral
returnsnot_found
if there are no defferals, but will returnactive
if deferrals are found.
-
filevault_encryption_in_progress
is a booleanTrue
/False
if encryption is in progress (True
), or not in progress (False
).
-
filevault_institution_key
is a booleanTrue
/False
based on whether an institutional recovery key is in use.
-
filevault_personal_key
is a booleanTrue
/False
based on whether an personal recovery key is in use.
-
filevault_status
returns a string of eitheron
oroff
. This differes fromfilevault_active
. Use this to determine if FileVault has been turned on or off, and the disk is in the process of being encrypted or decrypted.
-
filevault_users
returns an array of usernames. The UUID for the user is not returned as this is not necessarily predictable.
- Usage (on their own or combine):
-
filevault_active == TRUE
-
filevault_decryption_in_progress == TRUE
-
filevault_deferral == 'active'
-
filevault_encryption_in_progress == FALSE
-
filevault_institution_key == TRUE
-
filevault_personal_key == FALSE
-
filevault_status == 'on'
-
ANY filevault_users == 'jappleseed'
Useful in determining if a package in a manifest should be made available (or not) based on if the KEXT is whitelisted. For example, an anti-virus application might run in a heavily crippled state if KEXTs are not whitelisted before installation.
- Generates three conditions:
-
kext_bundles
contains an array of Bundle ID's for KEXTs which are whitelisted (user and/or MDM).
-
-
- Example:
'com.vmware.kext.vmioplug.18.1.2'
- Example:
-
-
kext_teams
contains an array of Team ID's for KEXTs which have been whitelisted (user and/or MDM).
-
-
- Example:
'EG7KH642X6'
- Example:
-
-
kext_team_bundle
contains an array of Team ID's and Bundle ID's (as a comma seperated string) for any whitelisted KEXTs (user and/or MDM) which have both the Team ID and Bundle ID present.
-
-
- Example:
'EG7KH642X6,com.vmware.kext.vmioplug.18.1.2'
- Example:
-
- Usage (on their own or combine):
-
ANY kext_bundles == 'com.vmware.kext.vmioplug.18.1.2'
-
ANY kext_teams == 'EG7KH642X6'
-
ANY kext_team_bundle == 'EG7KH642X6,com.vmware.kext.vmioplug.18.1.2'
Useful in determining if a package in a manifest should be made available (or not) if a client is or is not enrolled in an MDM, For example, a particular set of apps might only need to be deployed to MDM supervised devices.
- Generates two conditions:
-
enrolled_via_dep
will beyes
orno
.
-
mdm_enrollment
will beyes_user_approved
orno
.
- Usage (on their own or combine):
-
enrolled_via_dep == 'yes'
-
mdm_enrollment == 'yes_user_approved'
Useful in determining if a package in a manifest should be made available based on whether any MDM deployed PPPCP payloads exist for a specifc Bundle ID or path. For example, the user experience for a particular app might be cumbersome if it is installed before a PPPCP payload is pushed to the client via MDM.
Each condition generates an array of strings that indicate if the PPPCP payload is allow
, deny
, or allow_user
. The format returned is either:
allow,org.example.foo
orallow,/Applications/Example.app
deny,org.example.foo
ordeny,/Applications/Example.app
allow_user,org.example.foo
this is only forListenEvent
andScreenCapture
, macOS 11+ and is the equivalent of the macOS 11+AllowStandardUserToSetSystemService
key.
The tcc_apple_events
condition additionally returns the AEReceiverIdentifier
if it exists. For example:
allow,org.example.foo,/Applications/Microsoft Remote Desktop.app
- Generates twenty-one conditions:
-
tcc_accessibility
-
tcc_address_book
-
tcc_apple_events
-
tcc_calendar
-
tcc_camera
-
tcc_file_provider_presence
-
tcc_listen_event
-
tcc_media_library
-
tcc_microphone
-
tcc_photos
-
tcc_post_event
-
tcc_reminders
-
tcc_screen_capture
-
tcc_speech_recognition
-
tcc_all_files
-
tcc_desktop_folder
-
tcc_documents_folder
-
tcc_downloads_folder
-
tcc_network_volumes
-
tcc_removable_volumes
-
tcc_sys_admin_files
- Usage (on their own or combine):
-
ANY tcc_all_files == 'allow,com.apple.Terminal'
-
ANY tcc_screen_capture == 'allow_user,us.zoom.xos'
-
ANY tcc_desktop_folder == 'deny,us.zoom.xos'
-
ANY tcc_apple_events == 'allow,net.pulsesecure.Pulse-Secure,net.pulsesecure.Pulse-Secure'
Useful in determing basic version information about various Python versions.
- Generates six conditions:
-
mac_os_python_path
is the real path (symlinks followed) of the Python framework that ships with macOS.
-
mac_os_python_ver
is the version string of the Python framework that ships with macOS.
-
munki_python_path
is the real path (symlinks followed) of the Python framework used by munki.
-
munki_python_symlink
is the symlink path of the Python framework used by munki.
-
munki_python_ver
is the version string of the Python framework used by munki.
-
official_python3_path
is the real path (symlinks followed) of the offical Python framework installation.
-
official_python3_ver
is the version string of the official Python framework installation.
- Usage (on their own or combine):
-
mac_os_python_path == '/usr/bin/python'
-
mac_os_python_ver BEGINSWITH '2.7'
-
munki_python_path CONTAINS 'Framework'
-
munki_python_ver >= 3.7.4
-
official_python3_path LIKE '/Library/Frameworks/Python.framework/Versions/3.*/bin/python3.*'
-
official_python3_ver LIKE '3.7.*'
Useful in determining if a package in a manifest should be made available (or not) based on if a System Extension is whitelisted. For example, a VPN might not run if its System Extensions are not whitelisted before installation.
- Generates four conditions:
-
sys_ext_bundles
contains an array of Bundle ID's for System Extensions which are whitelisted (user and/or MDM).
-
-
- Example:
'com.microsoft.wdav.netext'
- Example:
-
-
sys_ext_teams
contains an array of Team ID's for System Extensions which have been whitelisted (user and/or MDM).
-
-
- Example:
'UBF8T346G9'
- Example:
-
-
sys_ext_team_bundle
contains an array of Team ID's and Bundle ID's (as a comma seperated string) for any whitelisted System Extensions (user and/or MDM) which have both the Team ID and Bundle ID present.
-
-
- Example:
'UBF8T346G9,com.microsoft.wdav.netext'
- Example:
-
-
sys_ext_types
contains an array of Team ID's and Extension Types (DriverExtension
,NetworkExtension
,EndpointSecurityExtension
) that have been whitelisted (MDM).
- Usage (on their own or combine):
-
ANY sys_ext_bundles == 'com.microsoft.wdav.netext'
-
ANY sys_ext_teams == 'UBF8T346G9'
-
ANY sys_ext_team_bundle == 'UBF8T346G9,com.microsoft.wdav.netext'
-
ANY sys_ext_types == 'UBF8T346G9,EndpointSecurityExtension'
Useful for obtaining various bits of system setup information.
- Generates 11 conditions:
-
ard_enabled
is eitherTrue
orFalse
. Relies on/usr/libexec/mdmclient
existing.
-
cups_web_interface_enabled
is eitherTrue
orFalse
.
-
efi_password_enabled
is eitherTrue
orFalse
. Relies on/usr/libexec/mdmclient
existing.
-
ntp_enabled
is eitherTrue
orFalse
.
-
ntp_servers
returns an array of all servers found in/etc/ntp.conf
.
-
printer_sharing_enabled
is eitherTrue
orFalse
.
-
remote_apple_events_enabled
is eitherTrue
orFalse
.
-
sip_enabled
is eitherTrue
orFalse
.
-
ssh_enabled
is eitherTrue
orFalse
.
-
timezone
returns the timezone as a string in the format"Australia/Melbourne"
.
-
wake_on_lan
is eitherTrue
orFalse
.
- Usage (on their own or combine):
-
ard_enabled == TRUE
-
cups_web_interface_enabled == FALSE
-
efi_password_enabled == TRUE
-
ntp_enabled == TRUE
-
ANY ntp_servers == 'time.apple.asia.com'
-
printer_sharing_enabled == FALSE
-
remote_apple_events_enabled == FALSE
-
sip_enabled == TRUE
-
ssh_enabled == TRUE
-
timezone "Australia/Melbourne"
-
wake_on_lan == FALSE
Useful in determining if a package in a manifest should be made available based on whether a local user account exists on a client. For example, customised profile settings for a local user should only be installed if that user exists.
- Generates one condition:
-
user_home_path
that contains an array of username and home path locations (as a comma seperated string) for local accounts only (ignoring all inbuilt accounts except forroot
). This combination is used as home paths do not necessarily have the username forming part of the path.
- Usage (on their own or combine):
-
ANY user_home_path == 'administrator,/Users/admin'