The following tutorial is based on and works for NetExtender version 7.5.774 for Mac. Your mileage may vary for other versions.
Why does NetExtender need a Munki-fied "update"?
The actual NetExtender application doesn't need anything special for Munki. You can do a regular munkiimport on the .dmg file, and it'll go in just fine and install to users' /Applications folders, as you'd expect any application to.
Likely your organization has some organization-specific parameters you want users to put in, though, and perhaps your own certificate to mark as trusted. One way to go about that is to offer written instructions to your users (type in this URL with this port number, etc.)
You can have the user do this, or you can create an "update" package for NetExtender that will make it so the user has to enter only her username and password.
Overview of NetExtender's configuration files
NetExtender creates several hidden files and folders in a user's directory when she launches up the program:
/Users/username/.netextender has the config preferences for the user
/Users/username/.netExtenderCerts has a folder inside it called PUB_CERT that stores site certificates.
/Users/username/.netExtender.log contains a log for the application. We don't need to worry too much about this file.
Overall procedure for creating "update" package
If you want to create an "update" package, this is how you can do it. First, install NetExtender on a computer and actually VPN in (you may have to be off site or tethered to a hotspot or phone). This will create the files and folders mentioned above.
Once you have the files created, open up the .netextender file with a text editor. You may have to show hidden files in Finder first. Under [profiles], you should see a line with your organization's information and your username and password, delimited by a | symbol (vertical slash). Replace both the username and password information with a single space. There may be a second line with a hashed password—go ahead and delete that line entirely. It should look something like:
blahblahblahconnectioninformation| | |blahblahmoreinformation
In that same file, under [trustedcerts], you'll see a line for your organization's certificate. Make a note of that line (or copy it to your clipboard or another text file for future reference).
Also go into /Users/username/.netExtenderCerts/PUB_CERT to find your ca-bundle.crt file. You'll need this later.
Create a package (if you're a novice at it like I am, you can use Packages to create the .pkg file using a graphical user interface). For the payload, you want to put .netextender (for visibility's sake, I renamed mine to be netextender and then used the script to put the dot back in front of the name... you can keep it with the dot in front, as long as you modify the script accordingly) and ca-bundle.crt in /Users/Shared, at least the way this script is written. You can modify the script and put the payload elsewhere.
Then, open up a real text editor like TextWrangler or nano (don't use TextEdit), and paste in and modify it as you see fit and save it as PutInConfigs.sh (or whatever you want to call it, really, as long as you can find it later).
# Change to /Users directory
# Loop through existing users
for p in *; do
# Check it's not a user we don't care about
if [[ $p != "adminuseraccount" && $p != "Shared" ]]; then
# See if the user already has a netextender config file
if [ -f /Users/$p/.netextender ]; then
# Append the trusted cert
sed -i .bak 's/\[trustedcerts\]/\[trustedcerts\]\'$'\nblahblahblahalltheinformationfromyourorganizationscertfile/' /Users/$p/.netextender
# Copy netextender to user's folder
cp /Users/Shared/netextender /Users/$p/.netextender
# Change ownership to user
chown $p /Users/$p/.netextender
# Make directories for the certificate
mkdir -p /Users/$p/.netExtenderCerts/PUB_CERT
# Copy certificate to the certificates folder
cp /Users/Shared/ca-bundle.crt /Users/$p/.netExtenderCerts/PUB_CERT/
# Change ownership to user
chown -R $p /Users/$p/.netExtenderCerts
# End if
# End loop
# Delete source files
Then, using Packages, make this a post-install script (so it'll run after delivering the payload of the two files).
The script loops through all the user accounts (except the ones specified) and then delivers the appropriate files for each user. This is a bit of roundabout hack, so maybe someone can point me in the direction of how to copy only to the logged-in user even though the script itself is running as root. Our use case is one primary user on a laptop, so if it were possible to install it to the currently-logged-in user, that'd be great. Specifying to avoid the other admin accounts seems to be fine, though.
The script will see if an existing .netextender config file already exists. If the config file already exists, the script will take the information about the trusted certs and just insert it into the existing file. If the .nextender file doesn't already exist, the new one will be copied in.
Then it will also make directories (if they don't already exist) needed for the trusted cert(s) and then copy the .crt bundle in.
Finally, it will delete the files-to-be-copied, because they've already been copied.
Importing into Munki
Once you have built your .pkg, use munkiimport to import it into Munki and then mark this "update" package as an update for your actual NetExtender imported .dmg package.
P.S. I use "update" in quotation marks, because it's not strictly an update. It's not like going from 7.5.774 to 7.5.775 or from 7.5 to 7.6. It's only an "update" in the sense that Munki needs to know to install this any time someone installs NetExtender.