Introducing Carrus: Because macOS App Deployment Shouldn't Be a Time Sink

Ever found yourself wishing for a better way to handle macOS application updates and deployments? You’re not alone. After one too many coffee-fueled sessions dealing with vendor updates, security checks, and MDM deployments, I started working on something different. Meet carrus (Latin for “wagon”, because we’re all about carrying things from A to B efficiently).

Quick note before we dive in: carrus is very much a work in progress. While the core ideas are solid and development is active, it’s not ready for production use yet. Consider this a sneak peek at what’s coming.

The Vision

Managing enterprise macOS applications in 2024 involves juggling quite a few flaming torches:

Chasing down application updates
Making sure everything is properly signed and notarized
Packaging things just right for MDM deployment
Keeping audit trails that would make compliance happy
Automating all of the above without losing your mind

Carrus aims to tackle these challenges with a thoroughly modern approach: type-safe Python, async operations, and an event-driven architecture that won’t make future maintainers curse your name.

Current State of Play

Right now, we’ve got the foundations in place:

Core code signing verification
Basic DMG mounting and handling
Initial recipe system
Firefox as our first test case
Early MDM integration groundwork

Here’s what the recipes look like. No XML in sight, you’ll notice. Just clean, readable YAML that tells carrus what to do:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
name: Firefox
version: "123.0"
type: "firefox"
url: "https://download-installer.cdn.mozilla.net/pub/firefox/releases/123.0/mac/en-US/Firefox%20123.0.dmg"
filename: "Firefox-123.0.dmg"
code_sign:
  team_id: "43AQ936H96"
  require_notarized: true
build:
  type: "app_dmg"
  destination: "/Applications"
mdm:
  kandji:
    display_name: "Mozilla Firefox"
    category: "Browsers"
    minimum_os_version: "11.0"

Where We’re Headed

The roadmap is ambitious but focused:

Phase 1 (Current):

Getting the basic package handling solid
Nailing down update detection
Making sure security checks are bulletproof
Initial MDM support
System tests built in from the start.

Phase 2 (Next Up):

Proper Kandji integration via Ploughshare
Git repository support
Advanced package customization

Phase 3:

Full automation system
Multiple MDM support
Comprehensive reporting

Phase 4:

Enterprise features
Advanced security options
Custom plugin system

The MDM Story

MDM integration is a core focus, not an afterthought. While currently we’re just laying the groundwork, the plan is to handle:

Package versioning strategy
Auto-incrementing build numbers
Version history tracking
Automatic package uploads
Blueprint management
Health check scripts

We’re starting with Kandji support because the documentation is easy to digest and frankly, I like using it.

Want to Help Shape It?

If you’re feeling adventurous and don’t mind working with code that’s still finding its feet:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# Grab the code
git clone https://github.com/matdotcx/carrus.git
cd carrus

# Set up your Python environment
python3 -m venv venv
source venv/bin/activate

# Install it
pip install -e .

Fair warning: you will find bugs. You will find things that don’t work yet. That’s part of the fun of early development!

What’s Next?

Let’s face it - nobody got into IT because they love packaging applications. It’s a means to an end, and that end is getting tools into people’s hands so they can do their work. Carrus aims to make this necessary evil a little less evil and a lot more reliable.

Want to help make it better? We’d love to have you involved. Whether you’ve got code to contribute, bugs to report, or ideas to share, swing by the repository and join in. We’re building this in the open, and while it’s not ready for production yet, we’re excited about where it’s headed.

P.S. Did I mention it’s a work in progress? Because it really is. Everything starts somewhere.