Using Munki’s force_install_after_date key to force items to install

Keeping machines up to date can be a challenge. Munki tries to make this as seamless as possible, especially if you mark certain items as unattended installs (Munki will try to install those items in the background and not even bother the user).

But some updates require a logout or a reboot, and users generally don't like to log out or reboot often, particularly if they have laptops (as opposed to desktops). So pending updates can sit there for days, weeks, months, even over a year, unless you force the user to install the items.

I wouldn't recommend using the force_install_after_date option very often, but it can be very handy, particularly if there are critical updates that need to get to users.

And even though Munki itself will attempt to notify users of forced updates, you may want to accompany those built-in warnings with warnings of your own (via email, in person, etc.).

At the final countdown, the screenshots below are examples of what your users will see. Every time there's an OK button in the Managed Software Center, your user has the option to close Managed Software Center for a short time, but then MSC will just pop back up again soon. At the very last dialogue, the user will have no choice but to install the pending install item.

Once again, use sparingly, but you may need to use it, so it's good to know roughly what your users will see...

Requiring a user to be logged in to install a Munki item

You may occasionally get an item you want installed for clients, but the item is oddly constructed so as to require a user to be logged in. (Relevant Munki-Discuss mailing list thread)

Even though there are supported pkginfo keys in Munki to require a logout or require a reboot, there is no official way to require a login.

So the workaround I prefer is to use a preinstall script. From the Munki wiki:

Failure of the preinstall_script will abort the installation attempt. Failure of the postinstall_script will log errors, but the install will be considered complete.

I've created a simple template for a preinstall script that will fail (exit 1) if the user isn't logged in. Just make that the preinstall_script for your pkginfo, and you're all set. Make sure to test it, though, obviously.

P.S. I had considered using a admin-provided conditions, but the preinstall_script is handy, because it's tied to the item, so I don't have to manually remember the condition each time I add the item to a manifest.