Skip to main content

Tool to create and update Munki manifests for devices managed in Intune

Project description

mmg logo

This is a tool to generate Munki manifests for devices managed by Intune. Instead of manually managing manifests for each device, this tool uses the groups the user and/or device is a member of to determine which included manifests and catalogs the device should be a member of.

To do this, you create a JSON file and pass that when executing like this munki-manifest-generator -j path_to_json. The JSON needs to be spcified like below,

NOTE: Name of the manifest in Munki should match with the name of the group

[
    {
        "id": "id_of_aad_group", // id of the group in Azure AD
        "name": "name_of_manifest", // name of manifest in Munki
        "catalog": "catalog_name", // name of catalog in Munki or null
        "type": "type_of_group" // valid values are "user" or "device"
    }
]

Let's say you have manifests and catalogs for testing, Beta and Pre-Production, you can specify the Azure AD groups the user or device needs to be part of in order to be included. If you then set this up to run on a schedule, the device's membership will update in Munki if the user or device is made a member or removed from a group.

[
    {
        "id": "111-111-111-111",
        "name": "internal-testing",
        "catalog": "testing",
        "type": "device"
    },
    {
        "id": "222-222-222-222",
        "name": "Beta-users",
        "catalog": "Beta",
        "type": "user" 
    },
    {
        "id": "333-333-333-333",
        "name": "pre-production",
        "catalog": "preprod",
        "type": "device"
    }
]

If running this tool from an agent where it can be hazzle to pass a file, you can instead parse a list of dicts in script. The below example is running in an Azure Runbook where variables have been configured on the automation account, sensitive information like client secret and connection strings have been saved as encrypted variables. It's also prepared to be executed from a webhook targeting a specific device,

#!/usr/bin/env python3

import os
import sys
import json
import automationassets

from automationassets import AutomationAssetNotFound
from munki_manifest_generator import main as mmg

webhook = False
# If executed from webhook, load json data and set webhook to True
if len(sys.argv) > 1 :
    data = sys.argv[1].split(",")
    w_data = data[1].replace("RequestBody:","")
    webhook_data = json.loads(w_data)
    webhook = True
    serial = webhook_data['serial']

# get  variables
os.environ['CLIENT_ID'] = automationassets.get_automation_variable("CLIENT_ID")
os.environ['CLIENT_SECRET'] = automationassets.get_automation_variable("CLIENT_SECRET")
os.environ['CONTAINER_NAME'] = automationassets.get_automation_variable("CONTAINER_NAME")
os.environ['AZURE_STORAGE_CONNECTION_STRING'] = automationassets.get_automation_variable("AZURE_STORAGE_CONNECTION_STRING")
os.environ['TENANT_NAME'] = automationassets.get_automation_variable("TENANT_NAME")

groups = [
    {
        "id": "id_of_aad_group_1",
        "name": "name_of_manifest_1",
        "catalog": "catalog_name_1",
        "type": "type_of_group_1"
    },
        {
        "id": "id_of_aad_group_2",
        "name": "name_of_manifest_2",
        "catalog": "catalog_name_2",
        "type": "type_of_group_2"
    }
]

if webhook is True:
	mmg.main(group_list=groups, serial_number=serial)
else:
	mmg.main(group_list=groups)

In addition to importing this package to your automation account when running from Azure Automation, you must also import the following packages,

Install this package

pip install Munki-Manifest-Generator

Update this package

pip install Munki-Manifest-Generator --upgrade

Get help

Munki-Manifest-Generator --help

Testing mode

To run this tool without making any changes to the manifests on Azure Storage, which can be useful to test the groups in a json file or validate nothing unwanted will happen in your environment. The only thing you'll have to do is add the -t parameter.

Running from command line:

munki-manifest-generator -j path_to_json -t

Running from a script:

mmg.main(group_list=groups, test=True)

Environment variables

To use the tool, you must set a couple of environment variables that will be used to authenticate to Azure Storage and Microsoft Graph,

  • CLIENT_ID - Azure AD App Registration client id
  • CLIENT_SECRET - Azure AD App Registration client secret
  • TENANT_NAME - Name of your Azure tenant, i.e. example.onmicrosoft.com
  • CONTAINER_NAME - Name of your Azure Storage Container
  • AZURE_STORAGE_CONNECTION_STRING - Connection string to your Azure Storage account

If using interactive authentication, the CLIENT_SECRET is not required.

If using certificate authentication, additional environment variables are required,

  • THUMBPRINT - Thumbprint of the certificate on your app registration
  • KEY_FILE - Path to the private key of the certificate on your app registation

Azure AD app registration permissions

  • DeviceManagementManagedDevices.Read.All
  • Directory.Read.All
  • GroupMember.Read.All
  • Group.Read.All

Generated manifest exmaple

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>catalogs</key>
	<array>
                <string>testing</string>
		<string>Production</string>
	</array>
	<key>display_name</key>
	<string>tobias’s Mac</string>
	<key>included_manifests</key>
	<array>
		<string>site_default</string>
		<string>internal-testing</string>
	</array>
	<key>managed_installs</key>
	<array/>
	<key>optional_installs</key>
	<array/>
	<key>serialnumber</key>
	<string>C07XXXXXXXXX</string>
	<key>user</key>
	<string>user@example.onmicrosoft.com</string>
</dict>
</plist>

Example output

mmg1

mmg2

mmg3

mmg4

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

munki_manifest_generator-1.2.1.tar.gz (16.8 kB view details)

Uploaded Source

Built Distribution

Munki_Manifest_Generator-1.2.1-py3-none-any.whl (21.7 kB view details)

Uploaded Python 3

File details

Details for the file munki_manifest_generator-1.2.1.tar.gz.

File metadata

File hashes

Hashes for munki_manifest_generator-1.2.1.tar.gz
Algorithm Hash digest
SHA256 fa572da4ef3401d5a570829210d51abfac071bb9b7c37c69554734af2d78ccb0
MD5 3102b2098f282c4c726938fcfb2aa406
BLAKE2b-256 e93e423aba529c81369547ae53353f0b6431d3b1b98711d28294de6f777b667c

See more details on using hashes here.

File details

Details for the file Munki_Manifest_Generator-1.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for Munki_Manifest_Generator-1.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 ec86b1751fe97f6ceef441f7fb117109b911c55eaa823eadebe0498762674605
MD5 9a96b919682329e2f2230d93499d3346
BLAKE2b-256 d8f919a1e90ae3996659d60b8a8926c76f71ee7b391918e01507315abbe827e2

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page