The opinions on this site are my own, and are not necessarily shared by my employer.
Managing the Authorization Database with Munki
22 Dec 2013
Have you ever wished you didn’t have to take calls from your users to unlock various parts of System Preferences? That standard users could unlock Energy Saver or Date and Time preferences? Well dear reader, this is the article for you.
If, for some strange reason you can’t be bothered to read this overly long article (I do love to procrastinate), you can head over to my macscripts repo on GitHub for the scripts and resulting pkginfo files I’ve made for this.
Before we start, let’s get one thing out of the way - Munki isn’t at heart a configuration management system. I’ve traditionally preferred Puppet for these tasks, but as there is at the time of writing a bug open on modifying this with Puppet, I took it upon myself to make this work in my environment. I spent a couple of days trying to get my sub-par Ruby skills to match my aspirations, so I moved onto a much more comfortable technology for me: Python and Munki.
To tackle this issue, I’m going to be using the same Philosophy as Puppet:
Check if the resource exists and what it’s current value is
If required, change the value
And be able to revert back to how things were
These translate quite nicely into installcheck_script, postinstall_script and uninstall_script rolled into a nopkg pkginfo (for a good intro into how nopkg pkginfos work, see how to manage printers with them over on the Munki wiki). We could do this with a payload free package and an installcheck_script just as easily, but as we’re already putting code into our pkginfo, we might as well keep it all in one place.
Our installcheck_script is going to be very basic. To first open up the root system.preferences right, we just need to make sure that the group is set to everyone rather than admin. If you want to use another group, just substitute it in the group variable in the installcheck_script and the postinstall_script.
The postinstall_script is just an extension of the installcheck_script - but we’re going to make use of Python’s built-in plistlib to modify the plist and feed it back into security authorizationdb to set our desired settings.
We should be good admins and clean up after ourselves, so we’ll include an uninstall script.
Getting it into Munki
Now we’ve got our three scripts, we need to get them together into a pkginfo file. Assuming the scripts you’ve just made live in ~/src/macscripts/Munki/Auth:
Which will produce the bare bones of a pkginfo file, but there are a few other things we need to add into it. Modify OpenSysPref-1.0.plist to look like the below. For further documentation on what we’re doing here, have a look at the Munki wiki. The important parts you’ll need to add / modify are:
unattended_install (if you want it to apply in the background)
At this point, you should be able to add this pkginfo to your Munki repository, include it in a manifest and - well, nothing will happen, as this only unlocks the top level of System Preferences. If you want to do more, you’ll need to unlock additional parts as well - the scripts to do this can be found in my macscripts repository. I’ve specified that OpenSysPrefs is required in all of these - this means I can include only the needed modifications in the manifest and not worry about the top level being unlocked.
Also remember that Munki has conditional items built right in - you might only want to unlock the Network pane on laptops so they can install VPN profiles etc using something like this: