8 open source tools for managing macOS
8 open source tools for managing macOS
It's a great time to be a macOS admin thanks to great open source tools like these.
A phrase I hear quite a bit these days is, "What a great time to be a Mac admin!" I think there are a lot of factors contributing to that feeling, but the one of the biggest is the explosion of tools developed by the incredible open source community managing macOS. Here are eight of the tools I'm most interested in.
The Luggage is a wrapper that allows you to create Apple PKG format packages for internally developed applications. It requires Apple command line developer tools to be installed. The use of a makefile allows for easy versioning and exploration of differences between package versions.
Munki isn't an app as much as it is an idea or an ecosystem. It deploys imported applications to clients in a defined manner. Its logic is almost exclusively run on the client software on each machine under the guise of Managed Software Center.app. Because of this, the repository of applications and metadata can be stored on any web server on any platform you feel comfortable deploying in your environment.
Munki runs under Managed Software Center
Munki allows for the selective deployment of specific apps, allowing for the "optional install" of some while also having the ability of a "force install by date" for any package. The Managed Software Center application can act as a self-service portal for internal applications, and customizable headers and side panel links give it the potential to be a central springboard for your organization. In this brief overview, I can't describe all that munki can do, so I encourage you to check out the documentation.
Reposado is a set of Python tools that mimics the Apple Server's Software Update Caching Service. Reposado is nice if you would like to cache Apple Software Updates and deploy them internally for bandwidth savings. It also allows granular control so you have the option to release new updates to a test group before they hit your production environment. It's simple but very effective in what it what it does, and at a couple hundred megabytes per update release, it may save you quite a bit of bandwidth depending on your environment.
Fleet visibility and client management
Munkireport-php uses munki's run schedule and flight scripts to gather and present data about any machines using munki. Munkireport-php is an incredible tool for fleet visibility—from diskspace to domain binding, internet interfaces to munki run status, its dashboard presents a great amount of information about anything from a few machines to a mass fleet.
Another benefit of munkireport-php is its modular design, which allows you to add your own items to munkireport-php without changing the underlying code. It's designed to expand via modules, and it's easy for users to create new ones, provided they don't already exist in the expansive list of default modules.
Osquery is described as "operating system instrumentation framework." When I first heard of it, I had no clue what it does, but I can now summarize it as "a lot." Its GitHub does a much better job of describing it: "osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, or file hashes." The possibilities for osquery seem overwhelming, but it has some good query packs for macOS attacks on its project site.
Google Santa (Beta)
Santa is a management tool that allows for the whitelisting/blacklisting of items on a macOS system. It monitors macOS for any binary execution, checks the binary against a defined database, and either blocks or allows the binary. Santa almost has a "naughty or nice" mentality … I see what they did there. Santa operates in two main modes: "Monitor" mode, which by default will allow all binaries to run unless they're marked "block," and "Lockdown," which allows only whitelisted binaries to execute.
As Santa's Intentions and Expectations statement says: "No single system or process will stop all attacks, or provide 100% security... As a centrally managed component, Santa can help stop the spread of malware among a larger fleet of machines. Independently, Santa can aid in analyzing what is running on your computer."
Zentral is No. 1 on my watch list at the moment, and in my development environment it's a tool that integrates several of the previously mentioned tools and many others. Zentral is a centralized place to add, maintain, and initiate queries via osquery. It also supports Google Santa, acting as a central point to create and maintain block/allow lists of binaries. If you stopped there I would be sold, but it gets better, as zentral can gather and parse information from several different client management suites such as munki, as well as commercially available solutions such as JAMFPro and Filewave.
Some of zentral's architecture areas
Parts of zentral's ecosystem
This may not be a specific software or tool, but in my opinion, the community is the macOS admin's most important tool. If you reach out for help on any of the projects listed here, the community may point you to its respective channel in the MacAdmins Slack. Slack is a great place to connect with 10,000+ macOS administrators around the world. I have never worked in a community of people that is so welcoming and helpful. I hope to see you on Slack!
Lucas Hall spoke at LinuxFest Northwest 2017 and will be speaking at Penn State Macadmins 2017, presenting Managing macOS, without macOS (almost).