The Entra Munki Software Assignment system allows you to use Entra ID (formerly Azure AD) dynamic or static groups to directly scope software assignments in Munki using Munki-Conditions. This integration enables automated software deployment based on user attributes such as department, location, and assigned software packages.
The system operates by:
- Entra ID Configuration: User attributes and group memberships are configured in Entra ID
- Intune/MDM Deployment: Configuration profiles deploy managed preferences to macOS devices
- Munki Conditions: Shell scripts read these preferences and create Munki conditional items
- Software Assignment: Munki uses these conditions to determine which software to install
Entra ID Groups → Intune Configuration Profiles → Managed Preferences → Munki Conditions → Software Installation
The system includes several condition scripts that monitor different aspects of user assignment:
- Purpose: Detects assigned software titles for users
- Reads:
/Library/Managed Preferences/com.companyname.software.* - Creates: Conditions like
software.title == "Yes" - Use Case: Deploy specific software packages to assigned users
- Purpose: Identifies user's department affiliation
- Reads:
/Library/Managed Preferences/com.companyname.userdepartment.plist - Creates: Conditions like
user.department == "Finance" - Use Case: Deploy department-specific software and configurations
- Purpose: Determines user's country location
- Reads:
/Library/Managed Preferences/com.companyname.usercountry.plist - Creates: Conditions like
user.country == "US" - Use Case: Deploy region-specific software or comply with local regulations
- Purpose: Identifies user's office location
- Reads:
/Library/Managed Preferences/com.companyname.useroffice.plist - Creates: Conditions like
user.office == "Headquarters" - Use Case: Deploy location-specific resources or printers
The Configuration/Templates/Preference File/ directory contains XML templates for various scenarios:
com.companyname.userdepartment-Finance.xmlcom.companyname.userdepartment-Creative.xmlcom.companyname.userdepartment-Marketing.xmlcom.companyname.userdepartment-HumanResources.xml
com.companyname.usercountry-USA.xmlcom.companyname.usercountry-GBR.xml
com.companyname.office-Headquarters.xml
com.companyname.software.snagit.xmlcom.companyname.software.telegram.xml
- Munki environment configured and operational
- Intune or other MDM solution capable of deploying configuration profiles
- Entra ID with appropriate user attributes configured
-
Deploy Condition Scripts
# Copy condition scripts to Munki conditions directory sudo cp Conditions/*.sh /usr/local/munki/conditions/ sudo chmod +x /usr/local/munki/conditions/*.sh
-
Configure Munki to Run Conditions
- Add scripts to your Munki condition execution workflow
- Ensure scripts run before Munki evaluates manifests
-
Create Intune Configuration Profiles
- Use the XML templates in
Configuration/Templates/ - Create custom configuration profiles for each scenario
- Use the XML templates in
-
Configure Entra ID Groups
- Create dynamic or static groups based on user attributes
- Assign appropriate configuration profiles to groups
To assign software based on user assignment:
- Create Entra ID Group: Users who should receive specific software
- Deploy Configuration Profile: Contains
com.companyname.software.appname.xml - Munki Manifest Condition:
<key>installable_condition</key> <string>software.appname == "Yes"</string>
To deploy software based on department:
- Set User Department: In Entra ID user attributes
- Create Dynamic Group: Based on department attribute
- Deploy Configuration Profile: Contains department-specific preferences
- Munki Manifest Condition:
<key>installable_condition</key> <string>user.department == "Finance"</string>
To deploy software based on user location:
- Configure Location Attributes: Country/office in Entra ID
- Create Location Groups: Dynamic groups for each location
- Deploy Location Profiles: Appropriate configuration profiles
- Munki Manifest Conditions:
<key>installable_condition</key> <string>user.country == "US" AND user.office == "Headquarters"</string>
Update the preference domain identifiers in all scripts:
# Change from default
SOFTWARE_CHECK="com.companyname.software"
# To your organization
SOFTWARE_CHECK="com.yourorg.software"To create new condition types:
- Create New Script: Based on existing script templates
- Define Preference Domain: Choose appropriate identifier
- Create XML Templates: For Intune configuration profiles
- Test Conditions: Verify Munki recognizes new conditions
- Verify scripts have execute permissions
- Check script paths in Munki configuration
- Ensure managed preferences are deployed correctly
- Validate XML template syntax
- Confirm preference domain names match between scripts and profiles
- Check for typos in condition names
- Verify condition syntax in Munki manifests
- Check that condition values match exactly
- Review Munki logs for condition evaluation
Check managed preferences:
sudo defaults read "/Library/Managed Preferences/com.companyname.software.appname"Verify condition creation:
sudo defaults read "/path/to/munki/ConditionalItems"Monitor Munki condition evaluation:
sudo /usr/local/munki/munki-python -c "import munki; print(munki.getConditions())"- Use consistent preference domain naming
- Choose descriptive condition names
- Document all custom conditions
- Regularly review and update condition scripts
- Test new configurations in development environment
- Keep documentation current with changes
- Munki Conditional Items Documentation
- Alternate Azure Automation Example
- Intune Configuration Profile Documentation
For issues and questions:
- Review troubleshooting section above
- Check Munki community resources
- Consult Intune documentation for MDM-related issues
This documentation is for the Entra Munki Software Assignment project. For the latest updates and examples, visit the project repository.