#6482 Migrate munki.health.umt.edu to munki.ito.umt.edu dual Mac mini setup

SOW: 1. Migrate munki.health.umt.edu to munki01.ito.umt.edu 2. Build redundancy by creating warm clone on munki02.ito.umt.edu 3. Migrate existing munki.health.umt.edu clients and client settings to munki.ito.umt.edu. A. WASABI: Create new buckets for um-munki and um-public B. WASABI: Create new API keys for clients and munkiadmin post migration C. GITHUB: Create UM-IT organization and migrate GitHub repos to the Org 4. Upgrade Munki-enroll to current peetinc release to enable a more streamlined enrollment 5. Build and Sign AI packages for touchless deployments.

Completed as of 20.11.20: 1. munki01.ito.umt.edu built and configured to clone settings and data to munki02.ito.umt.edu. A. MAMP PRO Apache site configured for munki.health.umt.edu and munki.ito.umt.edu (ssl enabled for munki.health.umt.edu) B. Existing basic auth (health-munki) for /repo migrated. um-munki basic auth added C. CarbonCopy Cloner configured for certificate based cloning of data drive and MAMP PRO Apache Server configurations (NOT SCHEDULED) D. Installed and configured ProfileCreator. Linked to munki-sysadmin Repo E. Installed and configured Autopkgr. Re-sycronized repos manually for munki01 and munki 02. Migrated overrides and recipie_list to munki-sysadmin repo J TO-DO: 1x CarbonCopyCloner License (https://sites.fastspring.com/bombich/product/ccc5) J TO-DO: 1x MAMP Pro 6 License (https://www.mamp.info/en/store/) J TO-DO: CNAME munki.health.umt.edu -> munki01.ito.umt.edu (low TTL) J TO-DO: CNAME munki.ito.umt.edu -> munki01.ito.umt.edu (low TTL) J TO-DO: Certificate and CA bundle for munki.ito.umt.edu WAITING ON: external direct attached SSD's for TimeMachine 2. GitHub UM-IT built and repo's migrated. A. Configured SSH access for munkiadmin user with um-munkiadmin GitHub user. B. Encrypted GitHub SSH key and added to munkiadmin keychain. Configured ssh to use encrypted certificate. Destroyed all un-encrypted copies. C. named all local copies of repos the same as GitHub repo name. J TO-DO: Browse to https://github.com/orgs/UM-IT while logged into GitHub as JonathanNeffUMontana and accept Owner membership there (Don't de-owner me util everything is finished) Hours: 12

Completed as of 21.04.08: 1. MunkiReport PHP: https://report.munki.ito.umt.edu/ built on 5.6.5.4224 (twice). The public folder of MunkiReport is served via MAMP at /Volumes/munki-data/munki-report. A. Settings for MunkiReport PHP are set by editing "/Volumes/munki-data/Library/httpd/munkireport-php/.env" B. AD Authentication cannot be configured because LDAPs is not enabled on your DC's. I've created a single admin user "MunkiAdmin" and put the info in 1Pass. If or maybe when the AD DC's provide encrypted LDAP, update the AUTH_METHODS in .env to AUTH_METHODS="AD,LOCAL" C. List of enabled modules: MODULES="applications, appusage, ard, bluetooth, certificate, devtools, directory_service, disk_report, displays_info, extensions, fan_temps, filevault_status, findmymac, firewall, fonts, gpu, homebrew, homebrew_info, ibridge, installhistory, inventory, managedinstalls, mdm_status, munki_facts, munkiinfo, munkireport, munkireportinfo, network, network_shares, power, printer, profile, security, smart_stats, softwareupdate, supported_os, timemachine, usage_stats, usb, user_sessions, users, warranty, wifi" 2. munki-enroll -- Re built the munki-enroll with https://github.com/peetinc/munki-enroll. A. Munki-enroll will now update the device display name in the manifest when run as a condition. B. If the Device UUID is not included in the 'uuid' property of the device manifest, munki-enroll with add it to the device manifest and to the notes. C. if the device UUID does not match the 'uuid' in the manifest, munki-enroll will not update the manifest. D. To atuomatically enroll the machine with the correct manifests attached. The plist /var/root/Library/edu.umt.ito.munki-enroll.plist needs the correct info *before* running munki-enroll ... i.e. 'sudo defaults write edu.umt.ito.munki-enroll MANIFEST2 "Departments/healthpt"' E. pushed current munki-enroll to all clients via Mosyle Profile. F. User LaunchAgent will sync any changed computer manifest to wasabi immediately upon the change being written. G. If you want computers to automatically create their munki manifests, external dns for munki.umt.edu and port forwarding for 443 and munki01.ito.umt.edu needs to be built. A linux-based solution that exists only for the purpose of munki-enroll could be built and placed outside of your perimeter, though that might be over-thinking it. 3. Wasabi: health-munki should be able to be destroyed. All content syncs only with um-munki bucket A. UM IT Munki-Mosyle profile configured and pushed to all clients. Profile saved in ProfileCreator and committed to https://github.com/UM-IT/munki-sysadmin B. um-public has been built and is currently in use for deploying um-munki-client and munki-enroll. 4. MAMP PRO- fully upgraded to 6.3 5. AutoPKG and AutoPKGR ... A. clean up autopkg recipe overrides. Here someone absolutely needs to take a step back and ensure that the autopkg overrides aren't enabled without careful consideration. B. I manually moved and updated all items that were not imported correctly in the munki repo C. I updated all recipes to ensure they're saving to the appropriate paths with, category and developer defined. D. I built out OpenJDK installers and autopkg recipie overrides for AdoptOpenJDK8,11and13 6. um-munki-client A. Rebuilt twice with Johnathan B. Created Mosyle script with Johnathan to ensure um-munki-client.pkg deploys from Wasabi UM-Public C. Updated um-munki-client with current munki and munki-enroll. J ToDo: 1. Ensure Munki01 TimeMachine drive is mounted. 2. Find out about UM develeper account More updates to come.

Edits made via Bulk Update Tool - see change log for this timestamp