If you want to go full throttle…
The Munki Wiki has some detailed instructions (and a script) to set up your own certificate authority and then issue (and revoke) client certificates:
Using Munki With SSL Client Certificates
If you want something secure but simple
If you want something a little bit simpler but not straight plain text with no authentication, another option is to enable SSL and couple it with basic authentication. This post will walk you through that process, using a Mac desktop Apache server (process is probably similar for Ubuntu or Windows Apache, but there may be small tweaks).
Use a real certificate
If your server is public-facing, you can use Let’s Encrypt to get a free proper certificate or if you can afford to buy a proper certificate, you can just pay for one and install it.
But if you don’t want to pay for a certificate and if your server is also not public-facing, you may want to go for a self-signed certificate, which can still have some security issues but is better than using plain text http.
Set up a self-signed certificate
On your Apache server, you’re going to create a self-signed certificate, which means it will be untrusted by pretty much any web browser when visiting https, but for Munki it will be fine as long as we put the .pem file in the right place.
Generate the server key:
Create a .pem
sudo chown root:wheel /etc/apache2/server.key
sudo mv server.crt /etc/apache2
sudo chown root:wheel /etc/apache2/server.crt
Enable SSL on Apache
Edit the httpd.conf file while making a backup
Edit the httpd-ssl.conf file while making a backup
Enable basic authentication
If your Munki repo isn’t in /Library/WebServer/Documents/munki_repo, feel free to adjust to your actual setup:
htpasswd -c .htpasswd munki
Go back and edit your httpd.conf file
AuthName “Authentication Required”
Allow from all
Test your Apache config
Since you’ve been editing a couple of configuration files, make sure you didn’t make any syntax errors:
Set up your clients to use basic authentication
Okay. Remember how I said not to forget the password for basic authentication? Well, you need that password now. On your client you’ll be running a bunch of commands. Don’t save your commands for this session to the ~/.bash_history file:
Write that to the “secret” (still readable by admins who escalate to root) Managed Installs .plist:
If you’re going with a self-signed certificate, copy the ca.pem from your server to the client machine (in its desktop folder, for example). Then, on the client machine, move it to the appropriate place with the appropriate permissions:
sudo mv ~/Desktop/ca.pem /Library/Managed\ Installs/certs/
sudo chown -R root:wheel /Library/Managed\ Installs/certs
sudo chmod 700 /Library/Managed\ Installs/certs
sudo chown 600 /Library/Managed\ Installs/certs/ca.pem
If you have a proper certificate from Let’s Encrypt or another certificate authority, you don’t need this ca.pem file.
Finally, test it out and make sure everything works!
How secure is this?
All this secures is network traffic, so you’re not passing information in plain text. It also means random computers that just know the address of your repository can’t randomly access all the packages in your Munki repo.
But this does not secure against your actual users, especially if they have admin privileges on their machines (or have extended physical access to their machines, which—with a little know-how or Google Fu—is essentially root access).
To a certain extent, this may be a moot point if your Munki server isn’t public-facing, but it’s still a nice, small barrier to put up in case you have someone somehow get on your internal network and want to sniff around.
The instructions above I cobbled together based on instructions from these tutorials: